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CRITICAL INFORMATION INFRASTRUCTURE 
PROTECTION: THE THREAT IS REAL 


WEDNESDAY, OCTOBER 6, 1999 

U.S. Senate, 

Subcommittee on Technology, Terrorism, 

AND Government Information, 

Committee on the Judiciary, 

Washington, DC. 

The committee met, pursuant to notice, at 10:01 a.m., in room 
SD-226, Dirksen Senate Office Building, Hon. Jon Kyi (chairman 
of the subcommittee) presiding. 

Also present: Senators Feinstein, and Bennett (ex officio). 

OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR 
FROM THE STATE OF ARIZONA 

Senator Kyl. The hearing before the Senate Judiciary Commit- 
tee, Subcommittee on Technology, Terrorism, and Government In- 
formation will please come to order. 

Today’s hearing is on the subject of the critical information infra- 
structure and protection of the infrastructure and the threat there- 
to. Our panelists this morning, we will have two panels, and on the 
first panel, we have Mr. John S. Tritak, who is Director of the Crit- 
ical Information Assurance Office in Washington, and Mr. Michael 
Vatis, the Director of the National Infrastructure Protection Center 
here. The second panel will be Mr. Jack Brock, Director of Informa- 
tion Management Issues at the General Accounting Office. I appre- 
ciate the attendance of the witnesses here. 

I am informed that other members of the subcommittee will be 
arriving, but in view of the schedules of everyone concerned, I am 
going to begin the hearing right on time and we will move forward 
from there. 

Let me first of all make a brief opening statement and then call 
upon our two witnesses to make an opening statement, after which 
we will have a series of questions. 

At our hearing today, we are going to examine a growing public 
policy concern, the threat of hostile attack on our Nation’s critical 
information infrastructure and the adequacy of the Federal Gov- 
ernment’s response to this threat. This is the fourth public hearing 
that our subcommittee has held on the topic in the last 2 years, 
and given the importance of the subject, it will not be our last. 

The President’s top advisors recently issued a report on preserv- 
ing America’s privacy and security in cyberspace. As the report 
points out, the enormous success the United States has enjoyed 
over the past century was due in part to the ability of our Nation 
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and its leaders to deal with the latest technological trends in a way 
that enhanced the security and prosperity of successive generations 
of Americans. At critical junctures in our history, wise government 
policies with regard to innovative technology have resulted in un- 
precedented success. 

During the industrial age, the arrival of World War II signaled 
an urgent need for increased production and scientific advances. 
The success of America’s war effort in defeating fascism rested 
largely on the strength of our industrial might and the successful 
collaboration between our government and industry. We not only 
protected America’s security, but also vaulted the U.S. economy to 
unprecedented heights in the post-war period. 

Today, the industrial age has become the information age and 
computers facilitate the instant exchange of vast amounts of data 
and ideas. Who would have predicted just a few decades ago that 
a small Defense Department research effort would result in the 
creation of the Internet and revolutionize our society. 

As we approach the dawn of the new millennium, America again 
faces a time of pivotal change. Information technology presents 
both an opportunity and a threat to our society, which is increas- 
ingly dependent upon computers and communications equipment, 
what we call our critical information infrastructure. As most Amer- 
icans have learned recently, with the preparations for Y2K to make 
sure there are no major disruptions in services, virtually every key 
service is dependent upon computers, from electric power grids, to 
phone systems, to air traffic control, water and sewer service, medi- 
cal devices, banking, and the list goes on and on. Unfortunately, 
very few of these critical computer networks were designed with 
good security measures. 

The changes in our society also must be viewed in context with 
America’s changing geopolitical role in the post-Cold War world. 
The United States is the world’s only superpower and our armed 
forces enjoy technological superiority on the battlefield. Nations 
and terrorist groups that are hostile to our interests are increas- 
ingly choosing not to confront our strengths directly, that is, by try- 
ing to field fleets of advanced fighter planes or ships on par with 
ours, but rather are seeking to exploit our vulnerabilities, looking 
hard for an Achilles heel. 

According to the National Security Agency, over 100 countries 
are working on information warfare techniques. One recent case il- 
lustrates the danger of this threat. According to Newsweek maga- 
zine, computer systems at the Defense and Energy Departments 
have been the subject of a sustained computer hacking effort from 
Russia. These attacks have resulted in the loss of vast quantities 
of data, possibly including classified naval codes and information 
on missile guidance systems. 

These computer attacks have reportedly been very subtle. For ex- 
ample, the London Sunday Times interviewed an engineer at the 
Space and Naval Warfare Systems Command in San Diego, CA, 
who described being alerted to a problem when a computer print 
job took an unusually long time. According to the Times, “To his 
amazement, monitoring tools showed that the file had been re- 
moved from the printing queue and transmitted to an Internet 
server in Moscow before being sent back to San Diego.” 
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And there are other troubling examples of computer attacks by 
U.S. citizens that demonstrate our weaknesses in this area. For ex- 
ample, one group dubbed the “Phonemasters” by the FBI manipu- 
lated computers that route telephone calls. These hackers report- 
edly gained access to telephone networks of companies like AT&T, 
British Telecom, GTE, Sprint, MCI WorldCom, and Southwestern 
Bell. 

At times, these hackers were able to eavesdrop on phone calls, 
compromise databases, and redirect communications at will, ac- 
cording to press accounts. In addition, they apparently had access 
to portions of the nation’s power grid and air traffic control systems 
and hacked their way into a digital cache of unpublished phone 
numbers at the White House. In one prank, this group even suc- 
ceeded in forwarding FBI phone lines to sex-chat lines in Germany, 
Moldavia, and Hong Kong, resulting in the FBI being billed 
$200,000 for these calls. 

These calls would be amusing if the stakes were not so high. 
Given a more malicious intent, hackers in our country, or those 
working for terrorist groups of the military services of nations hos- 
tile to the United States, could do far greater damage to our critical 
information infrastructure, resulting in what some have termed 
“an electronic Pearl Harbor.” We have been fortunate that the 
United States has escaped serious harm thus far, but our luck is 
likely to run out unless we take aggressive steps to tighten these 
gaps. As Winston Churchill once ofcerved, in history, “the terrible 
‘ifs’ accumulate.” 

At today’s hearing, we will explore how our government has ap- 
proached this problem as well as how its efforts might be improved. 
We will also discuss whether new legislation is required and we 
will explore the impact of the government’s cyber-protection efforts 
on the privacy of American citizens. 

Our witnesses are ideally suited to address these issues. Mr. 
John Tritak, Director of the Critical Information Assurance Office, 
is responsible for the development of an integrated national plan 
to address the threats to our critical infrastructure. He will be fol- 
lowed by Michael Vatis, the Director of the National Infrastructure 
Protection Center, an interagency organization that is charged with 
leading the Federal Government’s efforts to detect, prevent, inves- 
tigate, and respond to cyber attacks on U.S. critical infrastructures. 

And on our second and final panel, Mr. Jack Brock, Director of 
Government Information Systems at the GAO, will testify about 
the type of vulnerabilities to cyber attacks that exist in computer 
networks operated by Federal agencies that the GAO has identified 
during annual audits and the status and effectiveness of the gov- 
ernment’s effort to reduce these vulnerabilities. 

It is my great pleasure to turn first to Senator Dianne Feinstein 
of California and then to Robert Bennett of Utah, two of the real 
experts in the U.S. Senate on this subject. Senator Feinstein is the 
ranking member of this subcommittee. She and I have been work- 
ing for a long time, concerned about the protection, the necessity 
of protecting our Nation’s critical infrastructure. 

Senator Bennett, not even a member of this committee, has such 
an interest in this subject that as chairman of the special Y2K 
Committee here in the Senate, he has taken an interest in what 
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we are doing and what others in the Congress are doing to deal 
with this issue. It is largely to his credit, through the Y2K Commit- 
tee chairmanship, that a lot of this information has been brought 
to light to the American public at large. So I am really pleased that 
Senator Bennett is here with us, as well. 

Senator Feinstein. 

STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR 
FROM THE STATE OF CALIFORNIA 

Senator Feinstein. Thanks very much, Mr. Chairman. I think 
you know how much I enjoy working with you and I want to thank 
you for your leadership on this subject. I think I probably do not 
qualify as an expert. I think my colleague. Senator Bennett, prob- 
ably does. But I think I do qualify as someone that believes that 
this area is one of the most critical and crucial areas we now face, 
how to address the serious and increasing threats to our national 
infrastructure. 

The advent of a new technology age in which we now live has 
brought America certainly great prosperity. California, my State, 
has benefitted immensely from these developments. Powerful com- 
puters now control our electricity, our phone service, our plane traf- 
fic, our national defense, and they have moved us forward much 
more quickly than anyone ever could have imagined. We can plan 
our physical infrastructure more efficiently. We can test prototype 
aircraft on a computer screen without ever spending a dime on con- 
struction. We can allocate resources more efficiently and at a lower 
cost than ever before. 

And the power of a new global communication network has taken 
people from the ends of the earth and brought them together, al- 
most as if they were next-door neighbors. Amazing. Ten years ago, 
sending a message through the mail from Cairo to California would 
take weeks. Now, that simple message can be sent with a simple 
stroke of a key and accomplished in the blink of an eye. That 
power, the power of instant, inexpensive communication across 
mountains, oceans, and international boundaries has opened up 
vast potential for global cooperation and a truly borderless econ- 
omy. 

But, and here is the but, with that power, also comes extraor- 
dinary danger. Just like an e-mail from friend to friend can travel 
over the ocean and across national boundaries in a split second, so 
can a computer virus or a casual hacker attack or a foreign cyber 
terrorist. As a result, this Nation faces serious challenges in the 
coming months and years. We must learn to balance the benefits 
of glob^al interconnectivity with the need to protect our vital infor- 
mation, our defense, our infrastructure. 

About a dozen countries have information warfare programs. 
They include Libya, Iraq, and Iran. Foreign intelligence services 
routinely break into American public and private sector computers, 
mapping power grids to find weak links and leaving trap doors at 
virtually every U.S. military base. 

Last year, two California high school sophomores were among a 
group suspected of penetrating and compromising at least 11 sen- 
sitive computer systems and military installations and dozens of 
systems at other government facilities, including Federal labora- 
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tories that perform nuclear weapons research. These children were 
just looking for some excitement, and guess what, they found it. 
But imagine if they had been out to do real damage. Imagine if 
they had been employed by a hostile foreign government. 

Because of the interrelated nature of our critical infrastructure 
systems, today’s terrorist has the potential to do with a keyboard 
what in the last world war might have taken a squadron of bomb- 
ers to accomplish. At stake are not only the information systems 
upon which we rely, but the electric power grid, the public switch 
communications network, the air traffic control system, the bank- 
ing system, rail transport, oil and gas distribution networks, and 
a host of other networks on which our national security and our 
way of life today depend. 

We have begun to address this threat. Presidential Decision Di- 
rective 63, issued last year, identifies critical infrastructure protec- 
tion as a national security priority and commits us to effectively 
protect our critical infrastructures within 5 years. But the time 
table established by Public Directive 63 is already slipping. A na- 
tional report was due to Congress last December. As of today, we 
have still not seen it. 

I look forward to examining today what our government has done 
to protect our critical infrastructure and what more can be done. 
This Congress and this subcommittee has a clear responsibility to 
do what it takes to protect this Nation from the threat of cyber ter- 
rorism and from the enormous risks that come hand in hand with 
the advances in technology that have given us so much over the 
last few years. 

So thank you, Mr. Chairman, for your leadership and for sched- 
uling this hearing and your very serious attention to this issue. 

Senator Kyl. Thank you for a fine statement. Senator Feinstein. 

Now, I would like to turn to Senator Robert Bennett for any com- 
ments he may have. 

STATEMENT OF HON. ROBERT F. BENNETT, A U.S. SENATOR 
FROM THE STATE OF UTAH 

Senator Bennett. Thank you, Mr. Chairman. I appreciate your 
courtesy in allowing me to come where non-lawyers usually do not 
appear. I understand Senator Feinstein is not a lawyer, and 
that 

Senator Feinstein. I am not a lawyer. 

Senator Kyl. Now, you guys quit bragging. [Laughter.] 

Senator Bennett. That demonstrates how open-minded you are 
on this committee. 

I think you are having the first of what will be a long series of 
hearings. This is an issue which we are only barely beginning to 
understand, but I think, ultimately, the next President, whomever 
he or she may be, will find that the challenge of information war- 
fare will be the number one national security issue of the next ad- 
ministration. 

I recently went to an office where they had drawn a map of the 
new world. Whenever you think of military threats, you start out 
with the geography and you draw the map and the various sides. 
This was a map of the Internet and it did not look like any map 
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you or I have ever seen before. It looked like an abstract painting. 
I wanted to take it down and put it in my office. 

The world geologically is billions of years old. The world elec- 
tronically is 10 years old or less. And the one thing that was strik- 
ing about this map is that there were no oceans on it. When we 
talk about the U.S. militarily, we talk about the sanctuary of North 
America between two oceans, and on this new map of the new 
world, there were no oceans and no sanctuary. Mr. Chairman, you 
and Senator Feinstein have summarized this very well in your 
statements. 

The reason I think this hearing is important is because we do not 
have in our present governmental structure a neat pigeon hole in 
which to put this particular threat. For example, if somebody does 
the kinds of things that Senator Feinstein was describing, is that 
a military attack on our national security and, therefore, the re- 
sponsibility of the Defense Department, or is that a violation of pri- 
vate property rights and, therefore, an issue for law enforcement, 
or does it become both? And where do the responsibilities lie for the 
Defense Department to protect us from foreign attack and from the 
Justice Department to protect us from intrusions? 

Inevitably, in this new world, those intrusions will merge. For- 
eign efforts to destroy us, cripple us, do us harm, will very clearly 
merge with domestic capabilities to break in. We have already seen 
the example of a foreign agent who hired some American teenage 
hackers, and as Senator Feinstein said, they were out for the 
thrills and experience, but their mentor had a much more mali- 
cious purpose in mind. 

I think the Judiciary Committee is the logical place to be holding 
these kinds of hearings. I have talked with Senator Roberts, who 
plans to be holding hearings in the Armed Services Committee, and 
we, of course, have held some hearings on this in the Senate Spe- 
cial Committee on the Year 2000. Some of your witnesses here 
today have already testified before that committee. 

So, as I say, I think this is the first of what will be a series of 
hearings. Ultimately, I think the issue must come before the Sen- 
ate leadership and the House leadership to say where appro- 
priately within the legislative structure does the responsibility lie 
for oversight and coordination of this very, very important chal- 
lenge. 

So I congratulate you on your hearings and I am very grateful 
for your willingness to allow me to participate. 

Senator Kyl. Thank you very much. Senator Bennett. 

Now to our panel. Mr. John Tritak, you will lead off, and then 
Michael Vatis. 

PANEL CONSISTING OF JOHN S. TRITAK, DIRECTOR, CRITICAL 

INFRASTRUCTURE ASSURANCE OFFICE, WASHINGTON, DC; 

AND MICHAEL A VATIS, DIRECTOR, NATIONAL INFRASTRUC- 
TURE PROTECTION CENTER, WASHINGTON, DC 

STATEMENT OF JOHN S. TRITAK 

Mr. Tritak. Thank you. Senator Kyl, Senator Feinstein, Senator 
Bennett. It is truly an honor to be here today to discuss the chal- 
lenges facing our Nation in the area of critical infrastructure pro- 
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tection and the efforts being undertaken by the administration to 
address those challenges. I intend to keep my opening remarks 
very brief and ask that my written statement be entered into the 
record. 

Senator Kyl. All of the statements will be admitted, without ob- 
jection. 

Mr. Tritak. Thank you, sir. America has long relied on complex 
systems or critical infrastructures to assure the delivery of services 
vital to its national security, economic prosperity, and social well- 
being. These infrastructures include telecommunications, electric 
power, oil and gas delivery and storage, banking and finance, 
transportation, and vital human services and government services. 
The information age has fundamentally altered the nature and ex- 
tent of our reliance on these infrastructures. 

Our government, our economy, our society, indeed, our individual 
lives are becoming increasingly dependent on an ever-expanding 
system of networks of computers and information systems. The in- 
creasing dependence on computer control networks, combined with 
the growing interdependence of our Nation’s critical infrastruc- 
tures, together present a new kind of vulnerability, especially to de- 
liberate attack. 

The threats posed to our critical infrastructures are real and 
growing. The nature of these threats and the potential risks they 
pose to the Nation’s infrastructures will be addressed by Mr. Vatis 
of the National Infrastructure Protection Center. 

FDD 63 was issued in May 1998 to take up the unique chal- 
lenges posed by these threats. I say unique because the risks posed 
to our critical infrastructures present a challenge that is really 
unique in our history, as this may very well be the first time a na- 
tional security challenge cannot be solved by the government alone. 
Indeed, 90 percent of the infrastructures that we are concerned 
about are privately owned and operated. 

This is why FDD 63 stresses the importance of establishing pub- 
lic-private partnerships and why the President has designated lead 
agencies in the Federal Government to work as liaisons with the 
respective sectors to build those partnerships. PDD 63 also recog- 
nizes the traditional areas of national defense, foreign affairs, intel- 
ligence, and law enforcement and that they are fundamental to 
protection of our infrastructures, inherent in the domain of govern- 
ment, and stipulates that sector coordinators be designated for 
these areas from the associated government agencies. 

Shortly, the administration will publish the first version of a 
plan to implement PDD 63. The draft is in the final stages of inter- 
agency clearance, so I cannot go into a great deal of detail on its 
content. However, I can highlight the themes that are captured in 
the plan as well as what is contained in PDD 63. 

First is a continuing commitment to protecting those infrastruc- 
tures that are necessary in order to perform national defense and 
intelligence missions. I believe you have submitted for the record 
the statement by Mr. Richard Schaeffer of the Office of the Sec- 
retary of Defense, who lays out in great detail what efforts are 
being undertaken in that regard to protect those infrastructures. 

Second is a need for the U.S. Government to serve as a model 
in critical infrastructure protection. Recognizing that maybe most 
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of the critical infrastructures of our country are privately owned, 
it is very difficult for the government to call upon private industry 
to take up the challenge posed by PDD 63 unless it has its own 
house in order. With that in mind, the President charges the Fed- 
eral Government to do what it needs to do to ensure that its criti- 
cal infrastructures are protected against intentional attack. 

Third and finally, there is a need to establish the partnerships 
between private industry and the government on the one hand and 
to encourage information sharing arrangements first and foremost 
within industries themselves and ultimately between industry and 
government. Those partnerships at various levels, we believe, will 
secure our Nation’s infrastructures over the long term and that a 
collaborative effort will ensure that creative solutions are developed 
to meeting the challenges of the future. 

I would like to conclude my remarks very briefly by highlighting 
some of the key programs that are likely to appear in a national 
plan, as they are deemed sufficiently important by the administra- 
tion to request accelerated funding in the fiscal year 1999 budget 
amendment, which is before you at the moment. 

The first of these supports an aggressive government-wide imple- 
mentation of a Federal computer security requirements program. 
The proposal requests $5 million to establish a permanent 15-mem- 
ber expert review team that would assist government agencies in 
identifying vulnerabilities, plan secure systems, and to implement 
critical infrastructure protection plans. The Critical Infrastructure 
Assurance Office under PDD 63 is to assist agencies in identifying 
critical systems and their own dependencies, and we will be work- 
ing and supporting the expert review team in that effort. 

Second, the administration requests $8.4 million to establish a 
Federal intrusion detection monitoring system to secure Federal 
Government computer systems. A couple of key points I would like 
to make about that briefly, given the amount of coverage that has 
been given to this issue in the press. 

First, this is meant to cover civilian government agencies only. 
This is not meant to be wired into the private sector or to include 
private industries in some fraud monitoring system. 

It provides a centralized capability to analyze anomalous activi- 
ties that agencies may detect through the use of their monitoring 
systems. 

Fourth, any Federal intrusion detection monitoring system that 
is developed will be fully consistent with existing privacy laws. No 
additional authorization has been given to the government in order 
to implement this program. 

Finally, in cases where activity suggests criminal intent and 
criminal activity, those and only those pieces of information will be 
going to law enforcement, as appropriate under existing laws. 

The third request is for approximately $17 million for the recruit- 
ment, training, and retention of Federal information technology 
managers and officers. The purpose of this program is to ensure 
that the Federal Government, if it is to act as a model, has the ca- 
pabilities to protect its information infrastructures against mali- 
cious intent and activity. 
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Four, $7 million are requested for ongoing efforts to secure gov- 
ernment-to-government communications through the establishment 
of public key infrastructures. 

Fifth and finally, $2 million is being requested to support two 
pilot programs to foster information sharing arrangements between 
State and local governments and private industry. 

I would like to thank you for having me here today and I wel- 
come any questions you may have. 

Senator Kyl. Thank you very much. 

[The prepared statement of Mr. Tritak follows:] 

Prepared Statement of John S. Tritak 

Mr. Chairman, Madame Ranking Member, members of the Subcommittee, ladies 
and gentlemen, it is an honor to appear before you here today to discuss the chal- 
lenges facing our Nation in the area of critical infrastructure protection. This Sub- 
committee has shown exceptional leadership on these issues, and I am grateful for 
the opportunity to work closely with you and the Congress to find ways to advance 
infrastructure assurance for all Americans. We all recognize that no viable solutions 
will be discovered or implemented without the executive and legislative branches 
working together for our national good. 

I. introduction 

America has long depended on a complex of systems — or critical infrastructures — 
to assure the delivery of services vital to its national defense, economic prosperity, 
and social well-being. These infrastructures include telecommunications, electric 
power, oil and gas delivery and storage, banking and finance, transportation, and 
vital human and government services. 

The information age has fundamentally altered the nature and extent of our de- 
pendency on these infrastructures. Increasingly, our government, economy and soci- 
ety are being connected together into an ever expanding and interdependent digital 
nervous system of computers and information systems. With this interdependence 
comes new vulnerabilities. One person with a computer, a modem, and a telephone 
line anywhere in. the world can potentially break into sensitive government files, 
shut down an airport’s air traffic control system, or cause a power outage in an en- 
tire region. 

The threats posed to our critical infrastructures by hackers, terrorists, criminal 
organizations and foreign governments are real and growing. The nature of these 
threats will be addressed by Mr. Vatis of the National Infrastructure Protection 
Center (NIPC). 

Before I discuss the initiatives the Administration is undertaking to secure our 
nation’s critical infrastructures, I would like to discuss the historical context within 
which PDD-63 arose. 

In the early 1990’s, events such as the 1995 bombing of the Murrah Federal 
Building in Oklahoma City demonstrated that the federal government needed to ad- 
dress new types of threats and vulnerabilities — many of which the nation was un- 
prepared to defend against. 

In response to this tragedy, and other events, the Administration formed an inter- 
agency working group to examine the nature of the threat, our vulnerabilities, and 
possible long-term solutions for this aspect of our national security. The Critical In- 
frastructure Working Group (CIWG), chaired by then Deputy Attorney General 
Jamie Gorelick, and including representatives from the Defense, Intelligence, and 
national security communities, identified both physical and cyber threats and rec- 
ommended formation of a Presidential Commission to address more thoroughly 
many of these growing concerns. 

In July 1996, in response to the CIWG recommendation. President Clinton signed 
Executive Order 13010 establishing the President’s Commission on Critical Infra- 
structure Protection (PCCIP or, the Commission). After examining infrastructure 
issues for over a year, the Commission issued its report. Critical Foundations, Pro- 
tecting America’s Infrastructures, drawing at least four significant conclusions: 

• First, critical infrastructure protection is central to our national defense, includ- 
ing national security and national economic power; 

• Second, growing complexity and interdependence between critical infrastruc- 
tures may create increased possibility that rather minor and routine disturb- 
ances can cascade into national security emergencies; 
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• Third, vulnerabilities are increasing steadily and the means to exploit weak- 
nesses are readily available; practical measures and mechanisms, the commis- 
sion argued, must be urgently undertaken before we are confronted with a na- 
tional crisis; and 

• Fourth, laying a foundation for security will depend on new forms of cooperation 
with the private sector, which owns and operates many of these critical infra- 
structure facilities. 


II. PDD-63 — OVERVIEW 

After releasing the PCCIP report, the Administration worked to incorporate these 
and other recommendations into Presidential Decision Directive 63, which was 
issued in May 1998. Most importantly, PDD-63 recognizes the need for a Public- 
Private Partnership to face these critical issues. The directive specifies sectors of the 
national infrastructure, primarily in the private sector, that provide critical services 
or functions. It designates lead agencies in the Federal Government to work as liai- 
sons with their respective sectors to build partnerships. PDD-63 additionally recog- 
nizes that the traditional areas of national defense, foreign affairs, intelligence, and 
law enforcement are fundamental to infrastructure protection, are inherently the do- 
main of the government, and stipulates that sector coordinators be designated for 
these areas from the associated government agencies. 

PDD-63 established the position of National Coordinator for Security, Infrastruc- 
ture Protection, and Counter Terrorism to orchestrate these efforts. The PDD lays 
out specific tasks that must be accomplished, time lines for doing so, and organiza- 
tions for carrying out these missions. Key amongst them are the National Infra- 
structure Protection Center (NIPC), Directed by Mr. Vatis, and the National Plan 
Coordination Staff — now called the Critical Infrastructure Assurance Office 
(CIAO) — which I have the honor of directing. 

PDD-63 focuses the nation’s efforts on aspects of critical and immediate impor- 
tance — and I emphasize that these must be the efforts of the whole nation, for suc- 
cess will come only from the efforts of the private sector, state and local govern- 
ments, and the Federal Government working together in an integrated and coopera- 
tive manner. Our efforts fall in three broad categories. 

A. Defense and intelligence components 

The first is the Federal Government agencies involved in defense and intelligence 
efforts. The armed forces and intelligence agencies have requirements and systems 
that are unique to their special role. This has long been recognized in law, in the 
way we structure these organizations, and in our national philosophy. Their efforts 
are, as would be expected from the sensitive and well established nature of their 
mission, much further along in achieving critical infrastructure protection than 
those of the other parts of the Federal Government. In many ways they have set 
the example for other agencies’ efforts, and they currently share their experiences 
and advise on how the rest of the government might proceed. Their contribution has 
been very important in shaping the policy and programmatic reality the rest of the 
government is currently trying to establish. Mr. Richard Schaeffer, Director of the 
Information and Infrastructure Assurance Office for the Defense Department, has 
submitted a statement for the record on this and other matters, so, in cause of brev- 
ity, I will refer you to it and cover their efforts no further. 

B. Government as model 

The second category of effort can be called “Government as a Model.” We often 
say that more than 90 percent of our critical infrastructures are neither owned nor 
operated by the Federal Government. Partnerships with the private sector and State 
and Local Governments are therefore not just needed, but are the fundamental as- 
pect of critical infrastructure protection. Yet, the President rightly challenged the 
Federal Government in PDD-63 to serve as a model for critical infrastructure pro- 
tection — to put our own house in order first. As such, the Administration has fo- 
cused what might appear to be a disproportionate amount of our effort early in the 
process on doing this by establishing a coordinated and integrated approach across 
the Federal Government. 

• Federal Computer Security Requirements and Government Infrastructure De- 
pendencies 

One component of this effort supports aggressive, government-wide implementa- 
tion of federal computer security requirements. Thus, in support of PDI)-63, the 
President forwarded to Congress a request for a fiscal year 2000 budget amendment 
that would enhance computer security and critical infrastructure protection in the 
Federal Government. This proposal would fund a permanent 15-member team at the 
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Department of Commerce’s National Institute of Standards and Technology (NIST) 
responsible for helping Agencies identify vulnerabilities, plan secure systems, and 
implement Critical Infrastructure Protection Plans. The budget amendment would 
also establish an operational fund at NIST for computer security projects among 
Federal Agencies, including independent vulnerability assessments, computer intru- 
sion drills, and emergency funds to cover security fixes for systems identified to 
have unacceptable security risks. Among others, the Director of the team would con- 
sult with the Office of Management and Budget and the National Security Council 
on the team’s plan to protect and enhance computer security for Federal Agencies. 

Under PDD-63, the President directed the CIAO to coordinate analyses of the 
U.S. Government’s own dependencies on critical infrastructures. Many of the critical 
infrastructures that support our nation’s defense and security are shared by mul- 
tiple agencies. Even within government, then, critical infrastructure outages may 
cascade and unduly impair delivery of critical services. The CIAO is coordinating 
an interagency effort to develop a more sophisticated identification of critical nodes 
and systems and their impact on national security government-wide. These efforts 
will support the work of the ERT in identifying vulnerabilities of the government’s 
computer infrastructures, planning secure computer systems, and implementing 
computer security plans. 

This research, when complete, will provide important information to meiximize na- 
tional security research and development, budgeting, and for implementing Eederal 
computer security requirements and critical infrastructure planning within each 
agency. 

• Federal Intrusion Detection Network (FIDNET) 

PDD-63 marshals resources to improve interagency cooperation in detecting, and 
in responding to computer intrusions into civilian government critical infrastructure 
nodes. To support this effort, the Administration recently sent to Congress a fiscal 
year 2000 Budget Amendment to create a centralized intrusion detection and re- 
sponse capability in the General Services Administration (GSA). Through the use 
of additional staff and enhanced technology. Federal Agencies will improve upon 
their abilities to: 

• detect computer attacks and unauthorized intrusions; 

• share attack warnings and related information across agencies; and 

• respond to attacks. 

This amendment would provide GSA funds to pay for additional technology and 
personnel dedicated to intrusion detection and response. The additional personnel 
would improve Federal Agencies’ ability to detect attacks, analyze data, and commu- 
nicate attack information more swiftly, building on the existing Federal Computer 
Incident Response Capability (FedCIRC). The additional technology, in the form of 
state-of-the-art intrusion detection systems, would ensure a consistent capability in 
Agencies to protect critical systems. 

The program — much like a centralized burglar alarm system — would operate 
within legal requirements and Government policy concerning privacy, civil liberties, 
and promoting confidence in users of Federal civilian computer systems. Attack and 
intrusion information would be gathered and analyzed by Agency experts. Only data 
on system anomalies would be forward to GSA for further analysis. 

Neither the Federal Bureau of Investigation nor other law enforcement entities 
would receive information about the computer attacks and intrusions — except under 
long-standing legal rules and where an Agency determines there is sufficient indica- 
tion of illegal conduct. Also, private entities will not be wired to the FIDNet — no 
private sector entity is part of this civilian government program. 

In short, FIDNet will be run by the GSA, not the FBI; will not monitor any pri- 
vate networks or email traffic; will confer no new authorities on any government 
agency; and will be fully consistent with privacy law and practice. 

• Education and Training 

One of the nation’s important shortcomings in our efforts to protect our critical 
infrastructures is a shortage of skilled information technology (IT) personnel. Within 
the subset of information systems security personnel, the shortage is acute. Within 
the Federal Government, the lack of skilled information systems security personnel 
amounts to a crisis. This shortfall of workers reflects a scarcity of university grad- 
uate and undergraduate information security programs. In attacking this problem, 
we will leverage the initial efforts made by the Defense Department, National Secu- 
rity Agency, and some Federal Agencies. 

The Federal Cyber Services (FCS) training and education initiative introduces five 
programs to help solve the Federal IT security personnel problem. 
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• The Completion of an Office of Personnel Management IT occupational study. 
This study will help identify the number of IT security positions in the Federal 
Government, and the training and certification requirements for these positions. 

• The development of Center(s) for Information Technology Excellence (CITE). 
These Centers will train and certify current Federal IT security personnel and 
maintain their skill levels throughout their careers. It will leverage the signifi- 
cant progress made by the Defense Department and other federal agencies on 
this issue. 

• The creation of a Scholarship for Service (SFS) program to recruit and educate 
the next generation of Federal IT security workers and managers. This program 
will fund up to 300 students per year in their pursuit of undergraduate or grad- 
uate degrees in the IT security field. In return, the students will serve in the 
Federal IT workforce for a fixed period following graduation. The program will 
also have a meaningful summer work and internship element. An important 
part of the SFS program is the need to identify universities for participation in 
the program and assist in the development of IT security faculty and labora- 
tories at these universities. 

• The development of a high school recruitment and training initiative. This pro- 
gram would identify promising high school students for participation in summer 
work and internship programs that would lead to certification to Federal IT 
workforce standards and possible future employment. This effort will also exam- 
ine possible programs to promote computer security awareness in secondary and 
high school classrooms. 

• The development and implementation of a Federal INFOSEC awareness curricu- 
lum. This awareness effort is aimed at ensuring the entire Federal workforce 
is developing computer security literacy. It will leverage several outstanding ex- 
isting federal agency awareness programs. 

• Research and Development 

A key component to our ability to protect our critical infrastructures now and in 
the future is a robust research and development plan. The interagency Critical In- 
frastructure Coordination Group (CICG) has created a process to identify technolow 
requirements in support of the Plan. Chaired by the Office of Science and Tech- 
nology Policy (OSTP), the Research and Development Sub-Group works with Agen- 
cies and the private sector to: 

• gain agreement on requirements and priorities for information security research 
and development; 

• coordinate among Federal Departments and Agencies to ensure the require- 
ments are met within departmental research budgets and to prevent waste or 
duplication among departmental efforts; 

• communicate with private sector and academic researchers to prevent Federally 
funded R&D from duplicating prior, ongoing, or planned programs in the pri- 
vate sector or academia; and 

• identify areas where market forces are not creating sufficient or adequate re- 
search efforts in information security technology. 

That process, begun in 1998, led to the Administration budget request for fiscal 
year 2000 of $500 million for critical infrastructure protection research. Among the 
priorities identified by the process are: 

• technology to support large-scale networks of intrusion detection monitors; 

• artificial intelligence and other methods to identify malicious code (trap doors) 
in operating system code; 

• methodologies to contain, stop, or eject intruders, and to mitigate damage or re- 
store information-processing services in the event of an attack or disaster; 

• technologies to increase network reliability, system survivability, and the 
robustness of critical infrastructure components and systems, as well as the 
critical infrastructures themselves; and 

• technologies to model infrastructure responses to attacks or failures; identify 
interdependencies and their implications; and locate key vulnerable nodes, com- 
ponents, or systems. 

C. Public-private partnership 

Thirdly, and as discussed above, one of the most important components of PDD- 
63 implementation is the development of collaborative partnerships among and be- 
tween the private sector, state and local governments, and the Federal Government. 
The importance of this effort cannot be overstated and is made clear by considering 
just a few scenarios. If the natural gas delivery system you rely on for heat and 
cooking fails in January due to an attack on the computer systems that direct its 
operations, you will take small comfort in fact that the Federal Government has a 



13 


critical infrastructure protection plan in place. In fact, all our efforts to put the Fed- 
eral Government’s house in order and to serve as a model for industry will be of 
little service if our government information systems are impossible to break into, 
but the electrical power that they operate on is shut down by malicious actions of 
a foreign government. The list of examples goes on and on, and none of these sys- 
tems is owned or operated by the Federal Government. 

These vignettes put the situation in perspective — we are faced with a fascinating 
and challenging problem. This is the first time I am aware of in our national history 
that by creating policy and expending resources, the Federal Government cannot 
alone solve a national security problem. So what are we doing about it? If by “we” 
you understand “the government” then the answer must necessarily be unsatisfac- 
tory — because the government alone cannot protect the nation’s infrastructures. But 
if by “we” you understand “the nation” — the Federal Government in a coordinated 
and integrated effort with state and local government, industry, academia and other 
concerned groups — then I am happy to report that we have made a good beginning, 
and are developing a strong future. 

Just last Friday, Treasury Secretary Summers announced the formation of the Fi- 
nancial Sector Information Sharing and Analysis Center — “ISAC” for short. ISAC’s 
are private sector owned and operated entities that serve as focal points for their 
associated sector of the economy. Because they are defined individually by their 
member organizations, they will not all be identical. They are, however, all to be 
the coordinating and analyzing body for cyber attacks on their specific sector. I want 
to emphasize that these ISAC’s are neither set up, nor supervised by the Federal 
Government, although the Federal Government will assist these critical sectors in 
setting up their ISAC, through the Sector Liaisons, if asked. The government will 
share what information we can on cyber attacks with the ISAC’s to help them pro- 
tect their sector, and we will encourage them to share appropriately sanitized infor- 
mation with us to help us protect government agencies and functions. But this shar- 
ing from ISAC’s to government will be on an entirely voluntary basis, both in 
amount of information and the level of detail. No requirement exists or will exist 
that mandates information sharing. 

While these ISAC’s, would work within the sectors of the economy that own and 
operate critical infrastructure, as stipulated in PDD-63, this is not intended to be 
limiting. Other sectors or groupings within industry could establish ISAC’s, and we 
would assist them in this. Furthermore, practically every aspect of our nation relies 
on critical infrastructures. This makes CiP a fundamentally important issue for not 
just those companies that own and operate critical infrastructure, but also for those 
that rely on it to do business. They can and must have a voice in this public/private 
partnership. 

Recently, the President issued an Executive Order establishing a National Infra- 
structure Assurance Council (NIAC). This Presidential advisory body will be com- 
prised of leaders from the Private Sector, State and Local governments, and the 
Federal Government. It will examine key aspects of critical infrastructure assur- 
ance, and report to the President. 

The final indispensable members of this partnership are state and local govern- 
ments. They have the fundamentally important roles of providing and regulating 
many if not most essential services. They are the front line forces in the event of 
disasters or attacks on infrastructures. Some have moved quite far in their critical 
infrastructure protection efforts — New Mexico, for example, under the direction of 
Dr. Dan O’Neil, has a very strong and growing critical infrastructure protection 
partnership with key private sector entities. Furthermore, we have long had strong 
relationships with state and local governments on specific issues related to critical 
infrastructure protection, such as state and local emergency management organiza- 
tions with FEMA, and state and local law enforcement agencies through the FBI 
and other national law enforcement agencies. This area is one in which much work 
remains to be done, and I look forward to working with each Congressional Delega- 
tion as we define the issues and solutions. 

III. CONCLUSION 

In conclusion, much has been done since PDD-63 was issued in 1998. My staff 
and I are committed to building on this promising beginning, coordinating the gov- 
ernment’s efforts into an integrated holistic program for critical infrastructure pro- 
tection under the direction of the National Coordinator for Security, Infrastructure 
Protection, and Counter-Terrorism. We have much work left to do, and I look for- 
ward to with the members of this committee, indeed with the Congress as a whole, 
as we wrestle with this developing field and implement solutions. I look forward to 
your questions. 
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Senator Kyl. Mr. Vatis. 

STATEMENT OF MICHAEL A. VATIS 

Mr. Vatis. Mr. Chairman, Senator Feinstein and Senator Ben- 
nett, thank you very much for inviting me here this morning to 
speak with you about critical infrastructure protection. You three 
have really been leaders in the Congress in recognizing the impor- 
tance of these issues and the urgency of dealing with the new cyber 
threat that we face now in the information age, and so it is a privi- 
lege to share our perspective with you all, coming from the NIPC. 

I think your statements, your three statements, have really laid 
out the issue quite nicely in terms of the threats that we face and 
why our vulnerabilities are so great in this area, so I think I would 
like to focus my brief oral remarks on our perspective on the 
threats and how we are approaching them and attempting to deal 
with them. 

Much of the news media accounts on this issue focus on hacks 
into government websites and some private sector websites, and 
while those are criminal acts and they are not unimportant, they 
are not really where the main threat lies. The main threat lies in 
the potential for foreign nation states, foreign actors, and also do- 
mestic actors to hack into the critical computer networks that con- 
trol our Nation’s vital infrastructures, the services that are essen- 
tial to the basic functioning of our economy and are essential to our 
national security, such as the telecommunications network, the 
electrical power grid, government operations, other energy systems, 
banking and finance, et cetera. Those are what we refer to as our 
critical infrastructures and those are the things that we are fo- 
cused on protecting from attack. 

Mr. Chairman, you mentioned recent media accounts of a signifi- 
cant series of intrusions into Department of Defense and other gov- 
ernment agency networks. This is a matter that we have been look- 
ing into for over a year now and it points up for those who needed 
yet another wake-up call the serious vulnerabilities that we are 
trying to deal with and the serious threats that we are facing, not 
5 or 10 years in the future, but today. These are threats to our na- 
tional security that we must confront now because it is already 
happening. 

As you mentioned, Mr. Chairman, the greatest potential threat 
comes from foreign state actors who might choose to engage in in- 
formation warfare against the United States because they realize 
that they cannot take us on in conventional military terms and 
would seek to go after what they perceive as our Achilles heel, as 
you put it, which is our reliance on information technology, more 
than any other country, to control our critical operations. 

Information warfare is not the only threat. There is also a threat 
from foreign nation states engaged in cyber espionage, using re- 
mote access that is afforded by the interconnectivity of the Internet 
and our telecommunications systems, to access sensitive govern- 
ment information or sensitive private sector information, essen- 
tially engaged in industrial or economic espionage, to steal secrets 
to advantage their own indigenous industries at the expense of our 
own American private sector. These are threats, again, that are not 
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just future threats, but they are threats that we must deal with 
right now. 

On the non-state side, there are a variety of bad actors who can 
engage in similar types of intrusions for different purposes, but es- 
sentially using very similar, if not the same, techniques. We have 
seen terrorist groups beginning to acquire both the equipment and 
the expertise to use information technology as a weapon. For some 
time now, we have seen terrorist groups using the Internet and 
other forms of information technology to raise funds, to spread 
propaganda, and to communicate securely using encryption. 

More recently, we have begun to see terrorists now focusing on 
using those same set of technologies as a weapon. We have seen 
the Internet Black Tigers associated with the Tamil Tigers, engage 
in a denial of service attack on e-mail servers of Sri Lankan gov- 
ernment embassies. We also have concerns that Aum Shinrikyo, 
the Japanese terrorist group that launched the deadly sarin gas at- 
tack in Tokyo, beginning to think about using its expertise in com- 
puters and in networks as a possible weapon to direct against Jap- 
anese or U.S. interests. And there are reports that traditional ter- 
rorist groups such as the IRA have thought about using these same 
sorts of tools as weapons against their intended targets. 

All of these factors really portend the possibility and likelihood 
of a serious cyber terrorist attack directed against U.S. interests, 
but right now, we are already seeing criminal groups using these 
tools, not necessarily to disrupt systems, but to steal money, which 
is what criminal groups are basically all about. 

We have had the example that is now 5 years old of a Russian 
organized crime group headquartered in St. Petersburg using the 
same types of techniques to break into the Citibank cash manage- 
ment system and start transferring over $10 million to their own 
accounts. Fortunately, Citibank contacted the FBI early on and 
Citibank was able to stem its losses at approximately $400,000. All 
of the members of the group were apprehended and eventually 
prosecuted. 

But we still face that similar problem from criminal groups. The 
Phonemasters case that you mentioned, Mr. Chairman, is just an- 
other example of a group that does not fit our common definition 
of an organized crime group, but it was a group, it was organized, 
and it engaged in serious criminal activity. So I think we need to 
open our minds to some new paradigms out there of organized 
crime, people who are perhaps younger than our typical vision of 
organized crime groups but are taking advantage of these new 
technologies to engage in serious fraud schemes, serious theft 
schemes, and other types of criminal conspiracies. 

But we have also seen individuals posing a serious threat. In the 
last year alone, we have seen at least three very serious viruses or 
worms, the Melissa virus, the Explore.zip worm, the Chernobyl 
virus, wreak serious havoc on the private sector, some estimates 
going into the hundreds of millions of dollars of damage caused to 
private companies from the disruption caused by these viruses. 

We have also seen what we call recreational hackers cause seri- 
ous harm, individuals who may be engaged in hacking just for the 
thrill of it, as Senator Feinstein said, or for bragging rights in the 
hacker community because they are a competitive bunch who like 
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to show that they are better than the other guy. But they can have 
very serious consequences in their hacks. It is not just benign fun, 
as it is sometimes portrayed to be. 

We had an example a couple of years ago of a teenager in Massa- 
chusetts who hacked into the then-NYNEX, now Bell Atlantic tele- 
phone system, and shut down telecommunications in the Worces- 
ter, MA, area for several thousand users. What he did not intend 
was that he also disrupted communications to the local airport and 
prevented incoming airplanes from communicating with the tower 
and from turning on the runway lights. That could have obviously 
had very serious impacts on the safety of people using that airport. 
He also had the effect of shutting down communications of local po- 
lice and rescue services. So even things that might seem relatively 
benign can have very serious impacts on our public safety. 

The final category of individuals is probably the most common, 
and that is the disgruntled insider, an employee or former em- 
ployee at a company who abuses his knowledge and access to a sys- 
tem to cause disruption, by causing the system to crash because he 
is angry at his employer, by stealing sensitive information and giv- 
ing it to a competitor, or altering information. We have countless 
examples of these types of instances and that is probably the cat- 
egory that the private sector is most concerned about. Fifty-five 
percent of respondents in a recent poll by the Computer Security 
Institute and the FBI said that they had insider problems, insiders 
accessing their systems and doing bad things. 

So there is an incredibly broad array of threats in the cyber area 
that we have to deal with, and one of the difficulties in this area 
that distinguishes it qualitatively from the physical world is that 
when you first notice that you have an intrusion, you do not know 
what you are dealing with. You do not know if it is a disgruntled 
insider, if it is an organized crime group, if it is a terrorist, a for- 
eign intelligence agency, or a nation state planting the seeds for fu- 
ture destructive attacks. 

And as a result, because you do not know how to deal with it, 
in the government, it is not clear who should have responsibility, 
as Senator Bennett said, because it is not clear what you are deal- 
ing with. If we knew it were a nation state engaged in preparing 
the battlefield for an information warfare attack, then clearly a 
military response might be called for. But if we do not know that 
going in, it is hard to assign responsibility. 

In the Solar Sunrise case that I think all three of you alluded 
to from February 1998, it looked at first blush like it might be an 
instance of information warfare attack by the Iraqi government be- 
cause we were deploying troops to the Gulf at the time and some 
of the attacks seemed to be coming through Internet service provid- 
ers in the Gulf region. Upon investigation, however, we determined 
that the intrusions were carried out by several teenagers, two in 
California and several more in Israel. So what looked like a pos- 
sible information warfare attack ended up being recreational hack- 
ers who were hacking for the thrill of it. 

As a result of that difficulty of knowing what you are dealing 
with, who is doing it, how are they getting in, why are they doing 
it, what systems are they affecting, and where are they coming 
from, the response that the Federal Government took in FDD 63 
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was to create an interagency center at the NIPC, located at the 
FBI, but with representatives from all of the agencies who have a 
role to play, depending on what we determine we are confronting. 
So we have representatives at senior levels, at analytical levels, 
and on the investigative side, as well, from the Department of De- 
fense, from the intelligence community, from other Federal law en- 
forcement agencies, until recently, from State and local law en- 
forcement, and eventually, we hope to have representatives from 
the private sector brought in, as well. 

So as we investigate a case and can make determinations about 
who is doing what to us, we can have quick hand-off to the appro- 
priate agencies that have responsibility. But the reason for putting 
the NIPC under the auspices of the FBI is because to make those 
determinations, we need to gather information from the victim 
sites, from some of the intermediate sites that might have been at- 
tacked on the way to the ultimate victim, and the only way legally 
we can gather that information is pursuant to law enforcement in- 
vestigative authorities, or in some more narrow circumstances, 
counterintelligence authorities, if we know going in that this is a 
nation state-sponsored attack. 

But once we gather that information using those legal authori- 
ties, the ultimate response and the ultimate responsibility for deal- 
ing with it will depend on the facts, and at that point, other agen- 
cies would have a more direct role to play, be it a military re- 
sponse, a diplomatic response, an intelligence response, or a law 
enforcement response. 

Let me just say, finally, since I have used up all my time and 
more, that we are looking at Y2K as yet another example of how 
we need to coordinate, particularly on the information sharing side. 
Our responsibility at the NIPC is not to deal with service outages 
caused by the millennium bug and the inability of computers to 
recognize the date change. Our focus is, just as it is every day, is 
on dealing with malicious criminal attacks, intrusions or viruses 
that people use to attack systems. We do not have any concrete in- 
formation indicating that any foreign group or domestic group is 
planning on engaging in these sorts of attacks specifically around 
Y2K, but we are preparing for that eventuality because of the dis- 
tinct possibility that people might see as an opportunity to engage 
in those sorts of attacks. 

So in our field offices across the country and here at FBI head- 
quarters, the NIPC is preparing a contingency plan to deal with 
those sorts of attacks, and we have been communicating very close- 
ly with the rest of the Federal community, with State and local 
governments, and with the new Information Coordination Center 
at the White House, which is dealing with the Y2K problem overall 
and focusing on sharing information about the state of critical sys- 
tems during the rollover period. 

That concludes my somewhat lengthier remarks that I had in- 
tended, but I hope that gave you some insight into how we ap- 
proach the problem. 

Senator Kyl. Thank you very much, Mr. Vatis. 

[The prepared statement of Mr. Vatis follows:] 
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Prepared Statement of Michael A. Vatis 

INTRODUCTION 

Mr. Chairman, Senator Feinstein, and Members of the Committee: Thank you for 
inviting me here today to discuss critical infrastructure protection issues. Mr. Chair- 
man, you and this committee have been leaders in recognizing the importance of 
these issues and the urgency of addressing the new threats to our national security 
in the Information Age, and I welcome this opportunity to share our perspectives 
with you today. As you know, the Federal Government is developing its capabilities 
for dealing with threats to our nation’s infrastructures. Presidential Decision Direc- 
tive-63 set in motion an unprecedented effort to protect our nation’s critical infra- 
structures, which the PDD defined as “those physical and cyber-based systems es- 
sential to the minimum operations of the economy and government.” Critical infra- 
structures include telecommunications, energy, banking and finance, transportation, 
water systems, and emergency services, both public and private. The PDD formally 
designated the National Infrastructure Protection Center (NIPC) to have a central 
operational role in the government’s effort. The Center works closely with the Na- 
tional Coordinator for Security, Infrastructure Protection, and Counter-terrorism; 
the Department of Defense (DOD); the U.S. Intelligence Community (USIC); other 
federal agencies; and the private sector to protect our critical infrastructures. My 
statement will cover the spectrum of threats we are facing and the status of the 
NIPC and its activities. 


SPECTRUM OF THREATS 

The news media is filled with examples of intrusions into government and private 
sector computer networks. Politically motivated hackers have been attacking numer- 
ous U.S. Government websites, including the Senate’s. Deputy Secretary of Defense 
John Hamre reported in February that DOD is “detecting 80 to 100 [potential hack- 
ing] events daily.” We have had several damaging computer viruses this year, in- 
cluding the Melissa Macro Virus, the Explore.Zip Worm, and the CIH (Chernobyl) 
Virus. Computer Economics, Inc., a California firm, estimates that damage in the 
first two quarters of 1999 from viruses has topped $7 billion. The EBI’s case load 
for computer hacking and network intrusion cases has doubled each of the last two 
years. Currently we have over 800 pending investigations. In its 1999 survey, the 
Computer Security Institute estimated the total financial losses by the 163 busi- 
nesses it surveyed from computer security breaches at $123.7 million. This includes 
everything from theft of proprietary data to denial of service on networks. E-com- 
merce has become so important that firms, including Sedgwick Group PLC (in co- 
operation with IBM), Lloyds of London, and Network Risk Management Services, 
are now offering “hacker insurance.” 

Sensitive intrusions 

In the past few years we have seen a series of intrusions into numerous Depart- 
ment of Defense computer networks as well as networks of other federal agencies, 
universities, and private sector entities. Intruders have successfully accessed U.S. 
Government networks and took large amounts of unclassified but sensitive informa- 
tion. In investigating, these cases, the NIPC has been coordinating with FBI Field 
Offices, the Department of Defense, and other government agencies, as cir- 
cumstances require. But it is important that the Congress and the American public 
understand the very real threat that we are facing in the cyber realm, not just in 
the future, but now. 

Information warfare 

Perhaps the greatest potential threat to our national security is the prospect of 
“information warfare” by foreign militaries against our critical infrastructures. We 
know that several foreign nations are already developing information warfare doc- 
trine, programs, and capabilities for use against each other and the United States 
or other nations. Foreign nations are developing information warfare programs be- 
cause they see that they cannot defeat the United States in a head-to-head military 
encounter and they believe that information operations are a way to strike at what 
they perceive as America’s Achilles Heel — our reliance on information technology to 
control critical government and private sector systems. For example, two Chinese 
military officers recently published a book that called for the use of unconventional 
measures, including the propagation of computer viruses, to counterbalance the 
military power of the United States. In addition, during the recent conflict in Yugo- 
slavia, hackers sympathetic to Serbia electronically “ping” attacked NATO web serv- 
ers. And Russian as well as other individuals supporting the Serbs attacked 
websites in NATO countries, including the United States, using virus-infected e- 
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mail and hacking attempts. Over 100 entities in the United States received these 
e-mails. Several British organizations lost files and databases. These attacks did not 
cause any disruption of the military effort, and the attacked entities quickly recov- 
ered. But such attacks are portents of much more serious attacks that we can expect 
foreign adversaries to attempt in future conflicts. 

Foreign intelligence services 

Foreign intelligence services have adapted to using cyber tools as part of their in- 
formation gathering and espionage tradecraft. In a case dubbed “the Cuckoo’s Egg,” 
between 1986 and 1989 a ring of West German hackers penetrated numerous mili- 
tary, scientific, and industry computers in the United States, Western Europe, and 
Japan, stealing passwords, programs, and other information which they sold to the 
Soviet KGB. Significantly, this was over a decade ago — ancient history in Internet 
years. While I cannot go into specifics about the situation today in an open hearing, 
it is clear that foreign intelligence services increasingly view computer intrusions as 
a useful tool for acquiring sensitive U.S. government and private sector information. 

Terrorists 

Terrorists are known to use information technology and the Internet to formulate 
plans, raise funds, spread propaganda, and to communicate securely. For example, 
convicted terrorist Ramzi Yousef, the mastermind of the World Trade Center bomb- 
ing, stored detailed plans to destroy United States airliners on encrypted files on 
his laptop computer. Moreover, some groups have already used cyber attacks to in- 
flict damage on their enemies’ information systems. For example, a group calling 
itself the Internet Black Tigers conducted a successful “denial of service” attack on 
servers of Sri Lankan government embassies. Italian S 3 unpathizers of the Mexican 
Zapatista, rebels attacked web pages of Mexican financial institutions. And a Cana- 
dian government report indicates that the Irish Republican Army has considered the 
use of information operations against British interests. We are also concerned that 
Aum Shinrikyo, which launched the deadly Sarin gas attack in the Tokyo subway 
system, could use its growing expertise in computer manufacturing and Internet 
technology to develop “cyber terrorism” weapons for use against Japanese and U.S. 
interests. Thus while we have yet to see a significant instance of “cyber terrorism” 
with widespread disruption of critical infrastructures, all of these facts portend the 
use of cyber attacks by terrorists to cause pain to targeted governments or civilian 
populations by disrupting critical systems. 

Criminal groups 

We are also beginning to see the increased use of cyber intrusions by criminal 
groups who attack systems for purposes of monetary gain. For example, in 1994 the 
U.S. Secret Service uncovered a $50 million phone card scam that abused the ac- 
counts of AT&T, MCI, and Sprint customers. In addition, in 1994-95 an organized 
crime group headquartered in St. Petersburg, Russia, transferred $10.4 million from 
Citibank into accounts all over the world. After surveillance and investigation by 
the FBI’s New York field office, all but $400,000 of the funds were recovered. In 
another case, Carlos Felipe Salgado, Jr. gained unauthorized access to several Inter- 
net Service Providers in California and stole 100,000 credit card numbers with a 
combined limit of over $1 billion. The FBI arrested him in the San Francisco Inter- 
national Airport when he tried to sell the credit card numbers to a cooperating wit- 
ness for $260,000. With the expansion of electronic commerce, we expect to see an 
increase in hacking by organized crime as the new frontier for large-scale theft. 

Just two weeks ago, two members of a group dubbed the “Phonemasters” were 
sentenced after their conviction for theft and possession of unauthorized access de- 
vices (18 use § 1029) and unauthorized access to a federal interest computer (18 
use § 1030). The “Phonemasters” are an international group of criminals who pene- 
trated the computer systems of MCI, Sprint, AT&T, Equifax, and even the FBI’s Na- 
tional Crime Information Center (NCIC). Under judicially approved electronic sur- 
veillance orders, the FBI’s Dallas Field Office made use of new data intercept tech- 
nology to monitor the calling activity and modem pulses of one of the suspects, Cal- 
vin Cantrell. Mr. Cantrell downloaded thousands of Sprint calling card numbers, 
which he sold to a Canadian individual, who passed them on to someone in Ohio. 
These numbers made their way to an individual in Switzerland and eventually 
ended up in the hands of organized crime groups in Italy. Mr. Cantrell was sen- 
tenced to two years as a result of his guilty plea, while one of his associates, Cory 
Lindsay, was sentenced to 41 months. 

The “Phonemasters” activities should serve as a wake up call for corporate secu- 
rity. Their methods included “dumpster diving” to gather old phone books and tech- 
nical manuals for systems. They then used this information to trick employees into 
giving up their logon and password information. The group then used this informa- 
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tion to break into victim systems. It is important to remember that often “cyber 
crimes” are facilitated by old fashioned guile, such as calling employees and tricking 
them into giving up passwords. Good “cyber security” practices must therefore ad- 
dress personnel security and “social engineering” in addition to instituting electronic 
security measures. 

Virus writers 

Virus writers are posing an increasingly serious threat to networks and systems 
worldwide. As noted above, we have had several damaging computer viruses this 
year, including the Melissa Macro Virus, the Explore.Zip worm, and the CIH 
(Chernobyl) Virus. The NIPC frequently sends out warnings regarding particularly 
dangerous viruses. 

Earlier this year, we reacted quickly to the spread of the Melissa Macro Virus. 
While there are dozens of viruses released every day, the speedy propagation of Me- 
lissa and its effects on networks caused us great concern. Within hours of learning 
about the virus on Friday, March 26, 1999, we had coordinated with key cyber re- 
sponse components of DOD and the Computer Emergency Response Team (CERT) 
at Carnegie-Mellon University. Our Watch operation went into 24-hour posture and 
sent out warning messages to federal agencies, state and local law enforcement, FBI 
Field Offices, and the private sector. Because the virus affected systems throughout 
the public, we also took the unusual step of issuing a public warning through the 
FBI’s Public Affairs Office and on our website. These steps helped mitigate the dam- 
age by alerting computer users of the virus and of protective steps they could take. 

On the investigative side, the NIPC acted as a central point of contact for the 
Field Offices who worked leads on the case. A tip received by the New Jersey State 
Police from America Online, and their follow-up investigation with the FBI’s New- 
ark Field Office, led to the April 1, 1999 arrest of David L. Smith. Search warrants 
were executed in New Jersey by the New Jersey State Police and FBI Special 
Agents from the Newark Field Office. 

Just in the last few weeks we have seen reports on the Suppl Word Macro virus, 
the toadie.exe virus, and the W97M/Thurs.A (or Thursday) virus.. This last virus 
has already infected over 5,000 machines, according to news reports, and deletes 
files on victim’s hard drives. The payload of the virus is triggered on 12-13 and dis- 
ables the macro virus protection in Word 97. We are also concerned with the propa- 
gation of a Trojan Horse called Back Orifice 2000, which allows malicious actors to 
monitor or tamper with computers undetected by the users. 

Virus writers are not often broken out as a threat category, and yet they often 
do more damage to networks than hackers do. The prevalence of computer viruses 
reminds us that we all have to be very careful about the attachments we open and 
we all must be sure to keep our anti-virus software up-to-date. 

Hactivism 

Recently we have seen a rise in what has been dubbed “hacktivism” — politically 
motivated attacks on publicly accessible web pages or e-mail servers. These groups 
and individuals overload e-mail servers and hack into web sites to send a political 
message. While these attacks generally have not altered operating systems or net- 
works, they still damage services and deny the public access to websites containing 
valuable information and infringe on others’ right to communicate. One such group 
is called the “Electronic Disturbance Theater,” which promotes civil disobedience on- 
line in support of its political agenda regarding the Zapatista movement in Mexico 
and other issues. This past spring they called for worldwide electronic civil disobe- 
dience and have taken what they term “protest actions” against White House and 
Department of Defense servers. Supporters of Kevin Mitnick, recently convicted of 
numerous computer security offenses, hacked into the Senate webpage and defaced 
it in May and June of this past year. The Internet has enabled new forms of politi- 
cal gathering and information sharing for those who want to advance social causes; 
that is good for our democracy. But illegal activities that disrupt e-mail servers, de- 
face web-sites, and prevent the public from accessing information on U.S. govern- 
ment and private sector web sites should be regarded as criminal acts that deny 
others their First Amendment rights to communicate rather than as an acceptable 
form of protest. 

“Recreational” hackers 

Virtually every day we see a report about “recreational hackers,” or “crackers,” 
who crack into networks for the thrill of the challenge or for bragging rights in the 
hacker community. While remote cracking once required a fair amount of skill or 
computer knowledge, the recreational hacker can now download attack scripts and 
protocols from the World Wide Web and launch them against victim sites. Thus 
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while attack tools have become more sophisticated, they have also become easier to 
use. 

These types of hacks are very numerous and may appear on their face to be be- 
nign. But they can have serious consequences. A well-known example of this in- 
volved a juvenile who hacked into the NYNEX (now Bell Atlantic) telephone system 
that serviced the Worcester, Massachusetts area using his personal computer and 
modem. The hacker shut down telephone service to 600 customers in the local com- 
munity. The resulting disruption affected all local police and fire 911 services as 
well as the ability of incoming aircraft to activate the runway lights at the Worces- 
ter airport. Telephone service was out at the airport tower for six hours. The U.S. 
Secret Service investigation of this case also brought to light a vulnerability in 
22,000 telephone switches nationwide that could be taken down with four key- 
strokes. Because he was a juvenile, however, the hacker was sentenced to only two 
years probation and 250 hours of community service, and was forced to forfeit the 
computer equipment used to hack into the phone system and reimburse the phone 
company for $5,000. This case demonstrated that an attack against our critical com- 
munications hubs can have cascading effects on several infrastructures. In this case, 
transportation, emergency, services, and telecommunications were disrupted. It also 
showed that widespread disruption could be caused by a single person from his or 
her home computer. 

Insider threat 

The disgruntled insider is a principal source of computer crimes. Insiders do not 
need a great deal of knowledge about computer intrusions, because their knowledge 
of victim systems often allows them to gain unrestricted access to cause damage to 
the system or to steal system data. The 1999 Computer Security Institute/FBI re- 
port notes that 55 percent of respondents reported malicious activity by insiders. 

There are many cases in the public domain involving disgruntled insiders. For ex- 
ample, Shakuntla Devi Singla used her insider knowledge and another employee’s 
password and logon identification to delete data from a U.S. Coast Guard personnel 
database system. It took 115 agency employees over 1,800 hours to recover and re- 
enter the lost data. Ms. Singla was convicted and sentenced to five months in pris- 
on, five months home detention, and ordered to pay $35,000 in restitution. 

In another case, a former Forbes employee named George Parente hacked got into 
Forbes systems using another employee’s password and login identification and 
crashed over half of Forbes’ computer network servers and erased all of the data 
on each of the crashed services. The data could not be restored. The losses to Forbes 
were reportedly over $100,000. 

Identifying the intruder 

One major difficulty that distinguishes cyber threats from physical threats is de- 
termining who is attacking your system, why, how, and from where. This difficulty 
stems from the ease with which individuals can hide or disguise their tracks by ma- 
nipulating logs and directing their attacks through networks in many countries be- 
fore hitting their ultimate target. The now well known “Solar Sunrise” case illus- 
trates this point. Solar Sunrise was a multi-agency investigation (which occurred 
while the NIPC was being established) of intrusions into more than 600 military, 
civilian government, and private sector computer systems in the United States, dur- 
ing February and March 1998. The intrusions occurred during the build-up of 
United States military personnel in the Persian Gulf in response to tension with 
Iraq over United Nations weapons inspections. The intruders penetrated at least 
200 unclassified U.S. military computer systems, including seven Air Force bases 
and four Navy installations. Department of Energy National Laboratories, NASA 
sites, and university sites. Agencies involved in the investigation included the FBI, 
DOD, NASA, Defense Information Systems Agency, AFOSI, and the Department of 
Justice. 

The timing of the intrusions and links to some Internet Service Providers in the 
Gulf region caused many to believe that Iraq was behind the intrusions. The inves- 
tigation, however, revealed that two juveniles in Cloverdale, California and several 
individuals in Israel were the culprits. Solar Sunrise thus demonstrated to the 
interagency community how difficult it is to identify an intruder until facts are 
gathered in an investigation, and why assumptions cannot be made until sufficient 
facts are available. It also vividly demonstrated the vulnerabilities that exist in our 
networks; if these individuals were able to assume “root access” to DOD systems, 
it is not difficult to imagine what hostile adversaries with greater skills and re- 
sources would be able to do. Finally, Solar Sunrise demonstrated the need for inter- 
agency coordination by the NIPC. 
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Special threat: Y2K malicious activity 

The main concern with the Y2K rollover is, of course, the possibility of widespread 
service outages caused by the millennium date problem in older computer systems. 
The President’s Y2K Council has done an excellent job in helping the nation prepare 
for the rollover event. Given our overall mission under FDD 63, the NIPC’s role 
with regard to Y2K will be to maintain real-time awareness of intentional cyber 
threats or incidents that might take place around the transition to 2000, dissemi- 
nate warnings to the appropriate government and private sector parties, and coordi- 
nate the government’s response to such incidents. We are not responsible for dealing 
with system outages caused by the millennium bug. Because of the possibility that 
there might be an increase in malicious activity around January 1, 2000, we have 
formulated contingency plans both for NIPC Headquarters and the FBI Field Of- 
fices. 

We are presently augmenting our existing relationships and information-sharing 
mechanisms with relevant entities in the federal government, such as the Informa- 
tion Coordination Center (ICC), state and local governments, private industry, and 
the CERT/FIRST community. Information will come to us from a variety of places, 
including FBI field offices and Legal Attaches overseas, as well as the ICC. FBI field 
offices are also tasked to establish Y2K plans for their regions of responsibility. In 
essence, all of the activities that we will undertake during the rollover period are 
ones we perform everyday. The difference is that we will be prepared to conduct 
them at an increased tempo to deal with any incidents occurring during the Y2K 
rollover. 

There is one potential problem associated with Y2K that causes us special con- 
cern — the possibility that malicious actors, foreign or domestic, could use the Y2K 
remediation process to install malicious code in the “remediated” software. Thou- 
sands of companies across the United States and around the world are busy having 
their source code reviewed to ensure that they are ‘Y'2K compliant.” Those who are 
doing the Y2K remediation are almost always contractors who are given the status 
of a trusted insider with broad authority to review and make changes to the source 
code that runs information systems. These contractors could, undetected, do any of 
the following to compromise systems: 

• Install Trap Doors: By installing trap doors, intruders can later gain access to 
a system through an opening that they have created and then exploit or attack 
the system; 

• Obtain “Root Access”: Given their level of access, remediation companies can 
gain the same extensive privileges as the system administrator, allowing them 
to steal or alter information or engage in a “denial of service” attack on the sys- 
tem. 

• Implant Malicious Code: By implanting malicious code, someone could place a 
logic bomb or a time-delayed virus in a system that will later disrupt it. A mali- 
cious actor could also implant a program to compromise passwords or other as- 
pects of system security. 

• Map Systems: By mapping systems as a trusted insider, a contractor can gain 
valuable information to sell to economic competitors or even foreign intelligence 
agencies. 

Systems can be compromised for any number of purposes, including foreign intel- 
ligence activities, information warfare, industrial espionage, terrorism, or organized 
crime. And since any vulnerabilities that are implanted will persist as long as the 
software is in place, this is a problem that will last well beyond January 1, 2000. 
Companies and government agencies therefore need to determine how they will deal 
with this potential “Post-Y2K problem” on their critical systems. 

We have little concrete evidence so far of vendors’ planting malicious code during 
remediation. But the threat is such that companies should take every precaution 
possible. Of course, checking the remediation work to make sure that no malicious 
code was implanted in a system is no easy matter. If reviewing the millions of lines 
of code at issue were simple, there would be little need for Y2K contractors in the 
first place. Nevertheless, given the vulnerabilities that could be implanted in critical 
systems, it is imperative that the client companies do as much as possible to check 
the background of the companies doing their remediation work, oversee the remedi- 
ation process closely, and review new code as closely as possible and remove any 
extraneous code. Further, companies should test for trap doors and other known 
vulnerabilities to cracking. Companies can also use “red teams” to try to crack the 
software and further determine if trap doors exist. 
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STATUS OF THE NIPC 

The NIPC is an interagency Center located at the FBI. Created in 1998, the NIPC 
serves as the focal point for the government’s efforts to warn of and respond to cyber 
intrusions. In PDD-63, the President directed that the NIPC “serve as a national 
critical infrastructure threat assessment, warning, vulnerability, and law enforce- 
ment investigation and response entity.” The PDD further states that the mission 
of the NIPC “will include providing timely warnings of intentional threats, com- 
prehensive analyses and law enforcement investigation and response.” 

Thus, the PDD places the NIPC at the core of the government’s warning, inves- 
tigation, and response system for threats to, or attacks on, the nation’s critical infra- 
structures. The NIPC is the focal point for gathering information on threats to the 
infrastructures as well as “facilitating and coordinating the Federal Government’s 
response to an incident.” The PDD further specifies that the NIPC should include 
“elements responsible for warning, analysis, computer investigation, coordinating 
emergency response, training, outreach, and development and application of tech- 
nical tools.” 

The NIPC has a vital role in collecting and disseminating information from all 
relevant sources. The PDD directs the NIPC to “sanitize law enforcement and intel- 
ligence information for inclusion into analyses and reports that it will provide, in 
appropriate form, to relevant federal, state, and local agencies; the relevant owners 
and operators of critical infrastructures; and to any private sector information shar- 
ing and analysis entity.” The NIPC is also charged with issuing “attack warnings 
or alerts to increases in threat condition to any private sector information sharing 
and analysis entity and to the owners and operators.” 

In order to perform its role, the NIPC is continuing to establish a network of rela- 
tionships with a wide range of entities in both the government and the private sec- 
tor. The PDD provides for this in several ways. First, it states that the Center will 
“include representatives from the FBI, U.S. Secret Service, and other investigators 
experienced in computer crimes and infrastructure protection, as well as representa- 
tives detailed from the Department of Defense, Intelligence Community and Lead 
Agencies.” ^ Second, pursuant to the PDD, the NIPC has electronic links to the rest 
of the government in order to facilitate the sharing of information and the timely 
issuance of warnings. Third, the PDD directs all executive departments and agen- 
cies to “share with the NIPC information about threats and warning of attacks and 
actual attacks on critical government and private sector infrastructures, to the ex- 
tent permitted by law.” By bringing other agencies directly into the Center and 
building direct communication linkages, the Center provides a means of coordinat- 
ing the government’s cyber expertise and ensuring full sharing of information, con- 
sistent with applicable laws and regulations. 

To accomplish its goals under the PDD, the NIPC is organized into three sections: 

• The Computer Investigations and Operations Section (CIOS) is the operational 
and response arm of the Center. It program manages computer intrusion inves- 
tigations conducted by FBI Field Offices throughout the country; provides sub- 
ject matter experts, equipment, and technical support to cyber investigators in 
federal, state, and local government agencies involved in critical infrastructure 
protection; and provides a cyber emergency response capability to help resolve 
a cyber incident. 

• The Analysis and Warning Section (AWS) serves as the “indications and warn- 
ing” arm of the NIPC. The AWS reviews numerous government and private sec- 
tor databases, media, and other sources daily to disseminate information that 
is relevant to any aspect of NIPC’s mission, including the gathering of indica- 
tions of a possible attack. It provides analytical support during computer intru- 
sion investigations, performs analyses of infrastructure risks and threat trends, 
and produces current analytic products for the national security and law en- 
forcement communities, the owners-operators of the critical infrastructures, and 
the computer network managers who protect their systems. It also distributes 
tactical warnings, alerts, and advisories to all the relevant partners, informing 
them of exploited vulnerabilities and threats. 


^The Lead Agencies are: Commerce for information and communications; Treasury for bank- 
ing and finance; EPA for water supply; Transportation for aviation, highways, mass transit, 
pipelines, rail, and waterborne commerce; Justice/FBI for emergency law enforcement services; 
Federal Emergency Management Agency for emergency fire service and continuity of govern- 
ment; Health and Human Services for public health services. The Lead Agencies for special 
functions are: State for foreign affairs, CIA for intelligence, Defense for national defense, and 
Justice/FBl for law enforcement and internal security. The NIPC is performing the lead agency 
and special functions roles specified for “Justice/FBI” in the PDD. 
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• The Training, Outreach and Strategy Section (TOSS) coordinates the training 
and continuing education of cyher investigators within the FBI Field Offices and 
other federal, state and local law enforcement agencies. It also coordinates our 
liaison with private sector companies, state and local governments, other gov- 
ernment agencies, and the FBI’s Field Offices. In addition, this section manages 
our collection and cataloguing of information concerning “key assets” — i.e., criti- 
cal individual components within each infrastructure sector, such as specific 
power grids, telecommunications switch nodes, or financial systems — across the 
country. 

To facilitate our ability to investigate and respond to attacks, the FBI has created 
the National Infrastructure Protection and Computer Intrusion (NIPCI) Program in 
the 56 FBI Field Offices across the country. Under this program, managed by the 
NIPC at FBIHQ, “NIPCI” squads consisting of at least seven agents have been cre- 
ated in 10 Field Offices: Washington D.C., New York, San Francisco, Chicago, Dal- 
las, Los Angeles, Atlanta, Charlotte, Boston, and Seattle. For fiscal year 2000, we 
intend to reallocate our existing field agent compliment to create six additional 
squads in Baltimore, Houston, Miami, Newark, New Orleans, and San Diego. Be- 
cause of resource constraints, the other field offices have only 1-5 agents dedicated 
to working NIPCIP matters. 

The NIPC’s mission clearly requires the involvement and expertise of many agen- 
cies other than the FBI. This is why the NIPC, though housed at the FBI, is an 
interagency center that brings together personnel from all the relevant agencies. In 
addition to our 79 FBI employees, the NIPC currently has 28 representatives from: 
DOD (including the military services and component agencies), the CIA, DOE, 
NASA, the State Department as well as federal law enforcement, including the U.S. 
Secret Service, the U.S. Postal Service and, until recently, the Oregon State Police. 
The NIPC is in the process of seeking additional representatives from State and 
local law enforcement. 

But clearly we cannot rely on government personnel alone. Much of the technical 
expertise needed for our mission resides in the private sector. Accordingly, we rely 
on contractors to provide technical and other assistance. We are also in the process 
of arranging for private sector representatives to serve in the Center full time. In 
particular, the Attorney General and the Information Technology Association of 
America (ITAA) announced in April that the ITAA would detail personnel to the 
NIPC as part of a “Cybercitizens Partnership” between the government and the in- 
formation technology (IT) industry. Information technology industry representatives 
serving in the NIPC would enhance our technical expertise and our understanding 
of the information and communications infrastructure. 

NIPC activities 

The NIPC’s operations can be divided into three categories: protection, detection, 
and response. 

Protection 

Our role in protecting infrastructures against cyber intrusions is not to advise the 
private sector on what hardware or software to use or to act as their systems admin- 
istrator. Rather, our role is to provide information about threats, ongoing incidents, 
and exploited vulnerabilities so that government and private sector system adminis- 
trators can take the appropriate protective measures. The NIPC is developing a va- 
riety of products to inform the private sector and other government agencies of 
threats, including: warnings, alerts, and advisories; the Infrastructure Protection Di- 
gest; Critical Infrastructure Developments; CyberNotes; and topical electronic reports. 
These products are designed for tiered distribution to both government and private 
sector entities consistent with applicable law and the need to protect intelligence 
sources and methods, and law enforcement investigations. For example, the Infra- 
structure Protection Digest is a quarterly publication providing analyses and infor- 
mation on critical infrastructure issues. The Digest provides analytical insights into 
major trends and events affecting the nation’s critical infrastructures. It is usually 
published in both classified and unclassified formats and reaches national security 
and civilian government agency officials as well as infrastructure owners. Critical 
Infrastructure Developments is distributed bi-weekly to private sector entities. It 
contains analyses of recent trends, incidents, or events concerning critical infra- 
structure protection. CyberNotes is another NIPC publication designed to provide se- 
curity and information system professionals with timely information on cyber 
vulnerabilities, hacker exploit scripts, hacker trends, virus information, and critical 
infrastructure-related best practices. It is published twice a month on our website 
and disseminated in hard copy to government and private sector audiences. 
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The NIPC, in conjunction with the private sector, has also developed an initiative 
called “InfraGard” to expand direct contacts with the private sector infrastructure 
owners and operators and to share information about cyber intrusions and exploited 
vulnerabilities, with the goal of increasing protection of critical infrastructures. The 
initiative encourages the exchange of information by government and private sector 
members through the formation of local InfraGard chapters within the jurisdiction 
of each of the 56 FBI Field Offices. The initiative includes an intrusion alert net- 
work using encrypted e-mail, a secure website and local chapter activities. A critical 
component of InfraGard is the ability of industry to provide information on intru- 
sions to the NIPC and the local FBI Field Office using secure communications in 
both a detailed and a “sanitized” format. The local FBI Field Offices can, if appro- 
priate, use the detailed version to initiate an investigation, while the NIPG can ana- 
lyze that information in conjunction with law enforcement, intelligence, open source, 
or other industry information to determine if the intrusion is part of a broader at- 
tack on numerous sites. The NIPC can simultaneously use the sanitized version to 
inform other members of the intrusion without compromising the confidentiality of 
the reporting company. InfraGard also provides us with a regular, secure method 
of providing additional security related to information to the private sector based 
on information we obtained from law enforcement investigations and other sources. 
InfraGard has recently been expanded to a total of 21 FBI Field Offices. The pro- 
gram will be expanded to the rest of the country later this year. 

Under PDD-63, the NIPC also serves as the U.S. governments “Lead Agency” for 
the Emergency Law Enforcement Services Sector. As Sector Liaison for law enforce- 
ment, the NIPC and a “Sector Coordinator” committee representing state and local 
law enforcement are formulating a plan to reduce the vulnerabilities of state and 
local law enforcement to cyber attack and are developing methods and procedures 
to share information within the sector. The NIPC and the FBI Field Offices are also 
working with the State and local law enforcement agencies to raise awareness with 
regard to vulnerabilities in this sector. 

Detection 

Given the ubiquitous vulnerabilities in existing Commercial Off-the-Shelf (COTS) 
software, intrusions into critical systems are inevitable for the foreseeable future. 
Thus, detection of these intrusions is critical if the U.S. Government and critical in- 
frastructure owners and operators are going to be able to respond. To improve our 
detection capabilities, we first need to ensure that we are fully collecting, sharing, 
and analyzing all extant information from all relevant sources. It is often the case 
that intrusions can be discerned simply by collecting bits of information from var- 
ious sources; conversely, if we don’t collate these pieces of information for analysis, 
we might not detect the intrusions at all. Thus the NIPC’s role in collecting informa- 
tion from all sources and performing analysis in itself aids the role of detection. 

The NIPC is currently concentrating on developing and implementing reliable 
mechanisms for receiving, processing, analyzing and storing information provided by 
government and private sector entities. This information is being used by NIPC an- 
alysts to develop tactical and strategic warning indicators of cyber threats and at- 
tacks. The NIPC and North American Energy Reliability Council (NERC) have es- 
tablished an industry-based Electric Power Working Group to develop tactical warn- 
ing indicators and information sharing procedures for the electric power sector. The 
NIPC also has developed mechanisms to share cyber incident information with both 
government agencies and private companies in the telecommunications sector. In 
the long-term, our indications and warning efforts will require participation by the 
Intelligence Community, DOD, the sector lead agencies, other government agencies, 
federal. State and local law enforcement, and the private sector owners and opera- 
tors of the infrastructures. 

Another initiative that will aid in the detection of network intrusions is the “Fed- 
eral Intrusion Detection Network” (“FIDNet”), a National Security Council initiative 
that would be managed by the General Services Administration. Many agencies al- 
ready have their own intrusion detection systems. FIDNet will enhance agencies’ 
cyber security by linking their intrusion detection systems together so that sus- 
picious patterns of activity can be detected and alerts issued across agencies. The 
goal of FIDNet is to detect intrusions in the federal civilian agencies’ critical com- 
puter systems. (Contrary to recent press reports, FIDNet will not extend to private 
sector systems.) To do this, critical network event data will be captured and ana- 
lyzed so that patterns can be established and, in the event of an attack, warnings 
issued. FIDNet will be the civilian agency counterpart for the automated detection 
system currently deployed across Department of Defense systems. FIDNet, under 
current plans, will consist of the following: sensors at key network nodes; a centrally 
managed GSA facility, the Federal Intrusion Detection Analysis Center (FIDAC), to 
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analyze the technical data from the nodes; and secure storage and dissemination of 
collected information. The NIPC will receive reports from the FIDAC when there is 
evidence of a possible federal crime (such as a violation of 18 U.S.C § 1030). Using 
all-source information, the Center would then analyze intrusions and other signifi- 
cant incidents to implement response efforts and support and inform national secu- 
rity decision-makers. FIDNet-derived information would also be combined with all- 
source reporting available to the NIPC to produce analysis and warning products 
which will be distributed to government, private sector companies, and the public, 
as appropriate. 

Response 

The NIPC’s and the FBI’s role in response principally consists of investigating in- 
trusions to identify the responsible party and issuing warnings to affected entities 
so that they can take appropriate protective steps. As discussed earlier, in the cyber 
world, determining what is happening during a suspected intrusion is difficult, par- 
ticularly in the early stages. An incident could be a system probe to find 
vulnerabilities or entry points, an intrusion to steal or alter data or plant sniffers 
or malicious code, or an attack to disrupt or deny service. The cyber crime scene 
is totally different from a crime scene in the physical world in that it is dynamic — 
it grows, contracts, and can change shape. Determining whether an intrusion is 
even occurring can often be difficult in the cyber world, and usually a determination 
cannot be made until after an investigation is initiated. In the physical world, by 
contrast, one can see instantly if a building has been bombed or an airliner brought 
down. 

Further, the tools used to perpetrate a cyber terrorist attack can be the same ones 
used for other cyber intrusions (simple hacking, foreign intelligence gathering, orga- 
nized crime activity to steal data, etc.), making identification and attribution more 
difficult. The perpetrators could be teenagers, criminal hackers, electronic 
protestors, terrorists, foreign intelligence services, or foreign military. In order to at- 
tribute an attack, FBI Field Offices can gather information from within the United 
States using either criminal investigative or foreign counter-intelligence authorities, 
depending on the circumstances. This information is necessary not only to identify 
the perpetrator but also to determine the size and nature of the intrusion: how 
many systems are affected, what techniques are being used, and what the purpose 
of the intrusions is — disruption, espionage, theft of money, etc. 

Relevant information also could come from the U.S. Intelligence Community (if 
the attack is from a foreign source), other U.S. government agency information, 
state and local law enforcement, private sector contacts, the media, other open 
sources, or foreign law enforcement contacts. The NIPC’s role is to coordinate and 
collect this information. 

On the warning side, if we determine an intrusion is imminent or underway, the 
Watch and Warning Unit is responsible for formulating warnings, alerts, or 
advisories and quickly disseminating them to all appropriate parties. If we deter- 
mine an attack is underway, we can issue warnings using an array of mechanisms, 
and send out sanitized and unsanitized warnings to the appropriate parties in the 
government and the private sector so they can take immediate protective steps. The 
Center has issued 22 warnings, alerts, or advisories between January 4 and Septem- 
ber 22, 1999. 

Two other NIPC initiatives are directed to improving our response capabilities. 
First, to respond appropriately, our field investigators need the proper training. 
Training FBI and other agencies’ investigators is critical if we hope to keep pace 
with the rapidly changing technology and be able to respond quickly and effectively 
to computer intrusions. The NIPC has been very active in training. These training 
efforts will help keep us at the cutting edge of law enforcement and national secu- 
rity in the 21st Century. The Center provided training to 314 attendees in fiscal 
year 1998. In fiscal year 1999, over 383 FBI Agents, state and local law enforcement 
representatives, and representatives from other government agencies have taken 
FBI-sponsored courses on computer intrusions and network analysis, the workings 
of the energy and telecommunications key assets, and other relevant topics. 

Second, our Key Asset Initiative (KAI) facilitates response to threats and intru- 
sion incidents by building liaison and communication links with the owners and op- 
erators of individual companies in the critical infrastructure sectors and enabling 
contingency planning. The KAI began in the 1980’s and focused on physical 
vulnerabilities to terrorism. Under the NIPC, the KAI has been reinvigorated and 
expanded to focus on cyber vulnerabilities as well. The KAI initially will involve de- 
termining which assets are key within the jurisdiction of each FBI Field Office and 
obtaining 24-hour points of contact at each asset in cases of emergency. Eventually, 
if future resources permit, the initiative will include the development of contingency 
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plans to respond to attacks on each asset, exercises to test response plans, and mod- 
eling to determine the effects of an attack on particular assets. FBI Field Offices 
will be responsible for developing a list of the assets within their respective jurisdic- 
tions, while the NIPC will maintain the national database. The KAI is being devel- 
oped in coordination with DOD and other agencies. 

CONCLUSION 

While the NIPC has accomplished much over the last year in building the first 
national-level operational capability to respond to cyber intrusions, much work re- 
mains. We have learned from cases that successful network investigation is highly 
dependent on expert investigators and analysts, with state of the art equipment and 
training. We have begun to build that capability both in the FBI Field Offices and 
at NIPC Headquarters, but we have much work ahead if we are to build our re- 
sources and capability to keep pace with the changing technology and growing 
threat environment and be capable of responding to several major incidents at once. 

We have also demonstrated how much can be accomplished when agencies work 
together, share information, and coordinate their activities as much as legally per- 
missible. But on this score, too, more can be done to achieve the interagency and 
public-private partnerships called for by PDD-63. We need to ensure that all rel- 
evant agencies are sharing information about threats and incidents with the NIPC 
and devoting personnel and other resources to the Center so that we can continue 
to build a truly interagency, “national” center. Finally, we must work with Congress 
to make sure that policy makers understand the threats we face in the Information 
Age and what measures are necessary to secure our Nation against them. I look for- 
ward to working with the Members and Staff of this Committee to address these 
vitally important issues. Thank you. 

Senator Kyl. It is my understanding that, with the exception of 
one paragraph, the draft statement that had not previously been 
cleared is the statement that you have submitted for the record 
today, is that right? 

Mr. Vatis. What we brought this morning is the final statement, 
yes, sir. 

Senator Kyl. And that statement, since Mr. Vatis did not recount 
in detail all of the examples of things that had been dealt with or 
are being dealt with, I might just reiterate, just to highlight a cou- 
ple, one estimate of damage from the 80 to 100 events daily de- 
tected is, in the first two quarters of 1999, a loss or damage from 
these viruses over $7 billion. This is not a minor matter. 

Then the other examples of foreign sources interfering with the 
Kosovo operation, the foreign intelligence services with information 
sold to the Soviet KGB, terrorist activity, the criminal groups 
which you have mentioned, the Phonemasters case, which I men- 
tioned, and a variety of other situations, but there was one item 
that I referred to from open source material, I believe it was News- 
week magazine. Can you say anything on the record about that 
particular ongoing event and can you identify it by its code name? 

Mr. Vatis. The article called it Moonlight Maze, and that is, in 
fact, our name for an investigation that we have been conducting 
for over a year into a series of widespread intrusions into Depart- 
ment of Defense, other Federal Government agency, and private 
sector computer networks. About the furthest I can go is to say 
that the intrusions appear to originate in Russia. We have been co- 
ordinating an investigation that has involved numerous Federal 
agencies, as well as international counterparts, but the intrusions 
have resulted in the taking of or the theft of unclassified, and it 
is important to stress that it is unclassified, but still sensitive in- 
formation about essentially defense technical research matters. 

Senator Kyl. Thank you very much. I think none of us underesti- 
mates the seriousness of the issue, but I think it is important that 
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hearings like this convey to the public as much information as can 
possibly be conveyed about the threat so that the public will be 
supportive of the efforts of the government and the private sector 
to deal with it, and also so that they will appreciate the law en- 
forcement tension that you identified, and I am going to get more 
into that in a minute, to try to put everybody’s mind at ease with 
respect to how the investigations are proceeding and how privacy 
is being protected. 

Mr. Tritak, let me ask you, the PDD was issued back in May 
1998 and I think the 180-day time frame which mandated that the 
plans be developed was probably unrealistic at the time. But it has 
now been over a year and we still do not — well, let me ask you. A, 
have plans been completed, and B, if not, why not, and C, when 
we might expect that the initial operating capability, which was 
supposed to be by November 2000, will, in fact, be achieved? 

Mr. Tritak. Yes, Senator. Let me say that the plan is in its final 
stages of interagency review and clearance. It is our strong hope 
that it will be issued later this month or early next month. So I 
think, recognizing that, as you have indicated, I think when the 
initial goal of 180 days was made, the complexity of the task at 
hand perhaps was not quite as well appreciated as it became in the 
course of developing it. 

But let me say a couple of words about that, because I think it 
is important to understand that we are talking about rather an un- 
precedented process of engaging some 24 agencies in addressing an 
issue that everyone recognizes is important. How one goes about it, 
especially given budgetary realities, is something that is open to se- 
rious consideration and debate, sometimes very spirited debate. I 
think that is a good thing because this is a big issue and you want 
the benefit of very careful thought given by a wide range of experts 
within the government on this matter. 

Now, when the plan does come out, it is probably best to think 
of it as an invitation to a dialogue rather than a final product to 
be embraced and accepted thumbs up/thumbs down. That is mainly 
because the main focus of the national plan is on the Federal Gov- 
ernment’s efforts. I think the rationale for taking this approach is 
if we are going to engage the private sector and ask them to sup- 
port the efforts that are needed to protect our critical infrastruc- 
tures, the government has to show a level of seriousness in getting 
its own house in order. 

So what you are going to see, for the most part, in the first ver- 
sion is the Federal Government’s initial attempt at developing a 
plan that it will implement and pursue in the ends and goals of 
PDD 63. It is hoped that once this is issued, it will be very quickly 
followed by a broader dialogue with private sector interest groups, 
particularly in the privacy area, but also members of Congress and 
their staffs because we cannot consider something to be a national 
plan without engaging the Nation in this dialogue. It affects every- 
one importantly. 

So in answer to your question, it is coming out very soon and we 
are hoping that it will be, again, the later part of this month, the 
early part of next month. 

Senator Kyl. Thank you. This is not the time to be critical. I 
really was simply focusing on the questions that Senator Feinstein 
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raised at the end of her statement, and I think we all want to work 
constructively toward the result. I can remember former Senator 
Sam Nunn and I testifying about this, and I have forgotten now 
when that was, but clearly, he has not been around for a while. 
This has been going on for a long time and we have had to prod 
some people within the administration for quite a while to get 
going here. 

Again, I am not being critical of you or the people who are work- 
ing hard on this. As you point out, it is a hard job. But in view 
of the kind of threats that have been mentioned here, I do not 
think we can say too often that we have got to get on with this and 
put these plans in place. 

Just very quickly, because I do not want to take any more time 
here, you testified that this program would operate within legal re- 
quirements and government policy concerning privacy, civil lib- 
erties, and promoting confidence in users of the Federal/civilian 
computer systems, that neither the FBI nor other law enforcement 
entities would receive information about computer attacks and in- 
trusions except under longstanding legal rules and where an agen- 
cy determines there is sufficient indication of illegal conduct, that 
private entities will not be wired to the FIDNet, no private sector 
entity is a part of the civilian government program, and that it will 
be run by GSA, not the FBI. It will not monitor any private net- 
works or e-mail traffic and confer no new authorities on any gov- 
ernment agencies and will be fully consistent with privacy law and 
practice, right? 

Mr. Tritak. Right. 

Senator Kyl. I think that is an important point to get across to 
folks, that we are dealing with a very significant national security 
issue here, and as Senator Bennett pointed out, there will be times 
when it may be unclear to us but it moves into a law enforcement 
requirement, but that in no event will any policies or rules be 
changed, which obviously that is a concern of this committee, be- 
cause we understand that the U.S. Constitution would prevent any 
inhibitions on privacy rights in any event. I just want to try to help 
put people’s mind at ease that everyone is very cognizant of that, 
the people in charge of putting the plan together, some of the peo- 
ple in charge of oversight here, and we will continue to keep our 
eye on that. 

Senator Feinstein. 

Senator Feinstein. Thanks very much, Mr. Chairman. 

Mr. Vatis, in your testimony, you mentioned, and Senator Kyl, 
I think, referred to it, that the DOD has reported 80 to 100 hacker 
attempts every day. Do you know how many of these attempts suc- 
ceed? 

Mr. Vatis. I do not have exact numbers. Senator, on how many 
succeed. There is a whole range of effects of possible attacks. Some- 
times they are just pings that attempt to probe a system. Some- 
times they get in successfully but then do not do anything. And 
sometimes they get in and then they do things, such as remove in- 
formation or 

Senator Feinstein. Then let me ask you the next question, which 
you probably do know the answer to. What kind of damage, if any, 
is occurring? 
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Mr. Vatis. In general? 

Senator Feinstein. Yes, or as specific as you feel you can. 

Mr. Vatis. It depends on the case. Generally, what we see is peo- 
ple looking around and sometimes taking information on the un- 
classified networks. There have not been many instances where 
damage has been done to the systems. The primary concern in 
most of these cases is with unauthorized, illegitimate access to in- 
formation that, though unclassified, is sensitive military informa- 
tion. 

Senator Feinstein. You said there have not been many occasions 
when significant damage has been done, but has some damage 
been done? 

Mr. Vatis. I am sure there are instances where somebody has 
done damage. I do not have any specific recent examples to bring 
to you. 

Senator Feinstein. You mentioned Operation Moonlight Maze. 
In that operation, has there been any penetration of classified sys- 
tems? 

Mr. Vatis. I should not get into that area in this setting. 

Senator Feinstein. I would be interested, perhaps in a classified 
setting, if you might be able to indicate that. I think those are key 
questions. 

Senator Kyl. Excuse me. I might mention, we had a briefing es- 
tablished yesterday by Dick Clark. 

Senator Feinstein. I could not attend. 

Senator Kyl. Well, none of us could and, therefore, it was can- 
celled, but we will do it. We will reschedule it when everyone can 
attend and we will do that. 

Senator Feinstein. If we could discuss this in that briefing, I 
think that would be 

Senator Bennett. If I may. Senator, we have had a briefing on 
that in the Y2K Committee. I agree with the witness, these are 
classified matters, but I agree with you in pursuing them because 
they are very important. 

Senator Feinstein. I was recently told that there are certain 
computer software available for free on the Internet that allows a 
person to install what amounts to an undetectable trap door on an- 
other person’s computer. As long as that computer remains hooked 
up to the Internet, the hacker can then read the target’s e-mails, 
see every password, move the mouse, erase files from the computer, 
and even shut it down, all without detection or recourse. I under- 
stand that some of the software is commercially available and ben- 
eficial for internal company use, but it also seems to me that some 
people are clearly trying to teach people how to infiltrate outside 
computers and do some real harm. Are you aware of this kind of 
software? 

Mr. Vatis. Yes, we are. There are several instances of that. One 
recent piece of software that fit that description is something called 
Back Orifice 2000, which was released at the recent DeathCom 
hackers’ conference in Las Vegas, which permits an external user 
to gain unauthorized access and do things to another person’s sys- 
tem along the lines that you mentioned. This is something we are 
aware of We have actually issued several advisories to both gov- 
ernment agencies and the private sector about that particular tool. 
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But these types of tools, hacking tools, pop up daily and there are 
new tools. I am sure you will hear from Rich Pathea about more 
specifics on those types of things. But the one you mentioned, if I 
think that is the one you are referring to, is one we are very well 
aware of and have issued warnings on. 

Senator Feinstein. Are there any commercial systems available 
that can pierce classified systems? 

Mr. Vatis. The protection of the classified systems is mainly a 
matter of controlling the access. It is not that they are impen- 
etrable, per se. Beyond that, I really do not want to get into that 
area of the classified systems. 

Senator Feinstein. If this could be another area, Mr. Chairman, 
that we could discuss, because there is — and you and I have both 
been involved in the encryption area, and there is this strong feel- 
ing in the industry about protecting privacy, with which I think we 
both agree. Now, here we are with systems commercially being de- 
vised to pierce that and to sabotage that very same privacy and put 
these on the open market. I think that raises a very real question 
that what would be appropriate regulation by the government, if 
any, of systems that pierce the privacy and really can sabotage a 
system. 

Do you have any suggestions as to what can be done to ensure 
that teenage hackers or others do not simply leave such trap doors 
or computer programs on the computers they penetrate? 

Mr. Vatis. A lot of the security measures that we would rec- 
ommend are really rather basic and it is a question of devoting suf- 
ficient resources and attention to those basic security measures. 
Careful perimeter security design of a network, augmented by care- 
ful personnel security policies, because oftentimes the beginning of 
a successful intrusion is social engineering and getting passwords 
or log-in information by calling up a user and pretending to be 
someone who forgot his password, for instance. The use of smart 
cards and tokens, one-time passwords, would also be a successful 
way to implement security, and updating virus detection software 
and also implementing the latest patches that are made available 
are all basic security practices that are too often neglected. 

Senator Feinstein. Are those protections in place in all, I will 
not use the word highly secure systems, but all key government 
systems today? 

Mr. Vatis. Basic security policies are in place across the govern- 
ment to effect that sort of security. Where the breakdown some- 
times occurs is in the implementation. The Solar Sunrise case is 
another good example of that. The vulnerabilities that the teen- 
agers took advantage of were ones that were known throughout the 
network community, the system administrator community, and, in 
fact, patches were available to fix those vulnerabilities. The prob- 
lem was that the patches had not been implemented across the 
DOD systems. So the policies exist, but it is the implementation 
that is the difficult part. 

Senator Feinstein. What about the private systems, airlines, 
railroads, telephones, power systems? 

Mr. Vatis. The difficulty there, as Mr. Tritak referred to, is that 
these are privately owned systems over which the government has 
very little directive authority or regulatory authority. Much of the 
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private sector is beginning to pay more attention to security and 
the need to have good security practices, to spend money on effec- 
tive security, because they are beginning to see that poor security 
will have a deleterious impact on the bottom line. But it is still a 
problem in the rest of the private sector of getting the decision 
makers, the corporate decision makers, to focus enough attention 
and resources on that type of security. 

Senator Feinstein. Let me ask this question. Of these kinds of 
systems, and I am speaking about the big systems, what would you 
say the level today of vulnerability is, low vulnerability, medium 
vulnerability, or high vulnerability? 

Mr. Vatis. As a general matter, I would have to say it is high. 
I think there are significant vulnerabilities in these critical systems 
that not only can be taken advantage of but are being taken advan- 
tage of We have not seen what some people have referred to as the 
electronic Pearl Harbor, where somebody has used those 
vulnerabilities to engage in a massive destructive attack. But just 
the examples that we have discussed this morning should be suffi- 
cient to indicate to people and to demonstrate that these significant 
vulnerabilities do exist. If teenagers can gain the type of access to 
the types of systems that we have seen just in the last couple of 
years, those instances in themselves should demonstrate the level 
of vulnerability. 

Senator Feinstein. We had one situation in San Francisco at a 
PG&E, it seemed to me, plant where everything got shut down. So 
what you are saying is, in the private sector, in terms of the civil- 
ian infrastructure, today, there is a very high vulnerability and 
that the private sector has not responded significantly to use avail- 
able technology to quell that vulnerability? 

Mr. Vatis. It is a mixed bag, but I think, in general, when we 
are talking about those critical infrastructures, there are signifi- 
cant vulnerabilities that do exist and that is one of the reasons 
that we have been trying to engage in information sharing about 
the vulnerabilities, about the threats, to make people aware in the 
private sector of where the vulnerabilities lie, what types they are, 
and also what the threats are that might take advantage of those 
vulnerabilities. 

But again, we should not act as though the private sector does 
not have its act together but the government does, because I think, 
as Mr. Tritak said and as the next panel will get into, there are 
also significant vulnerabilities in the government. So I think the 
Nation as a whole, both the private sector and the public sector, 
needs to face up to this and deal with these vulnerabilities. 

Senator Feinstein. Thanks very much, Mr. Chairman. 

Senator Kyl. Thank you. I think particularly important is the 
fact you brought out that the efforts here are not invasive of pri- 
vacy but rather are important in order to protect people’s privacy. 
That is very important. 

Senator Bennett. 

Senator Bennett. Thank you, Mr. Chairman. 

In July, you both testified before the Y2K Committee and there 
were no clear answers as to what cyber reconstitution was. We 
talked about that at that time. Can you tell me now, in the case 
of either a Y2K failure or an IW event, where there is an actual 
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attack to try to shut something down, how the United States would 
facilitate cyher reconstitution, in other words, bring a system back 
up? This is for either one. 

Mr. Vatis. I think my answer would still be the same as in July, 
which is that reconstitution of private systems, at least for the first 
part of the answer, the responsibility resides first and foremost 
with the private sector, but the assistance to the private sector is 
the responsibility of the lead agency under FDD 63, to provide the 
expertise and any assistance that we can offer. Then the con- 
sequence management for disruption, providing emergency genera- 
tors, for instance, in the event of an attack on the electrical power 
system, would be the responsibility of FEMA. 

Senator Bennett. Yes. Well, the FEMA example is the obvious 
one. You have a disaster, whether it is a tornado in Salt Lake City 
or an earthquake in California or a hurricane off the coast of Flor- 
ida, and here is a government agency that steps in after the fact 
to try to help rebuild the essential infrastructure. I just asked the 
question in order to keep the issue alive, recognizing that we do not 
have those kinds of answers, but we need to keep focusing on this, 
because if somebody does succeed in shutting us down, we ought 
to have some sort of electronic FEMA in place that can say, all 
right, we were not able to prevent it, but we can reconstitute the 
service relatively quickly. 

Senator Feinstein talked in terms of success. Just a quick edi- 
torial comment. My concern, and that is shared by a lot of the folks 
with whom I have spoken over this particular odyssey, has to do 
with people who get in undetected. Success is when you can stop 
it at some level. But is there a level where people have gotten in, 
gotten the information they want, and gotten out without our 
knowing it? Not to sound like a Tom Clancy novel, but the last one 
I read that described how a Russian submarine had tracked an 
American submarine without the Americans realizing it. I think 
there is some indication that there may be some of that, that not 
necessarily the teenage hackers but nation states have gotten into 
our computers, gotten the information they were looking for, and 
left, and most frighteningly, maybe left behind a trap door that 
would allow them to do that undetected wherever they are. 

I make that point simply to underscore once again, we are living 
in a new world. We are living where there is no sanctuary. We are 
not hiding behind our oceans. Our potential enemies are, indeed, 
in our bowels, if you will, and it becomes very important for us to 
just start thinking that way as we look for remediation. 

It is my experience that when you talk to people in industry 
about this issue, you get the same kind of response we initially got 
with respect to Y2K. That is, hey, it is not really a problem and 
our IT people will handle it and it will all go away. We will get 
it under control. It was not until we got the attention of the CEO 
as well as the CIO that we got significant progress in industry. 

When I talk to industry leaders, they all say, oh, we have fire- 
walls. We have spent the money. We have firewalls. My sense is 
that these firewalls have never really been tested the way the fire- 
walls of the Defense Department, for example, have been tested. 
The Defense Department is a whole lot harder than a lot of people 
realize. I have now spent enough time going around to Defense De- 
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partment installations to discover that. But I am not sure how 
hard some of the private institutions are. 

Do either of you have a sense of how effective the firewalls are 
in private industry compared to the government? 

Mr. Vatis. I think it varies tremendously, whether they even 
have firewalls, first of all, and second of all, how good the firewalls 
are, and then third, whether the firewall and other security meas- 
ures are actually implemented properly. But no firewall is impen- 
etrable, and I think sometimes people have a false sense of secu- 
rity. As you indicated, merely from the fact that their IT guys as- 
sure them that they have a firewall, they think as a result that 
they are totally secure, and that is a false sense of security. 

Senator Bennett. I do not want to get across the line into classi- 
fied information, but let me posit this as a hypothetical. Suppose 
a U.S. Government red team were formed and offered to make an 
attempt to get into certain industry areas, just as an exercise. How 
do you think industry officials would react to that? 

Mr. Vatis. I think some of them would actually welcome that 
kind of assistance in testing their systems and others might be 
averse to it because they would not want to know the answer. 

Senator Bennett. How about government agencies outside of the 
Defense Department? Say, for example, the Department of Energy, 
that has responsibility for our nuclear weapons, was told, OK, that 
is wonderful that you have all of these protections. Now we are 
going to try to penetrate you. Do you think the Secretary of Energy 
should cooperate with that effort? 

Mr. Vatis. Absolutely. I think red-teaming is an important part 
of any set of security measures because the only way to know 
whether your security measures are adequate is to test them. So 
I think that is a critical thing. 

Senator Bennett. Thank you, Mr. Chairman. 

Senator Kyl. Thank you. Senator Feinstein. 

Senator Feinstein. Let me just thank you for being up-front and 
forthright with this. I think it is really important and I appreciate 
the fact that you speak directly. It is my understanding that at 
least 22 of the largest Federal agencies have significant computer 
weaknesses, either because they do not know how to fix the prob- 
lem or because they do not realize the problem exists. The GAO re- 
port gives some examples. 

In May 1999, NASA computer-based controls were successfully 
penetrated on several mission-critical systems. In August 1999, se- 
rious weaknesses in DOD’s information security continued to pro- 
vide both hackers and hundreds of thousands of authorized users 
the opportunity to modify, steal, inappropriately disclose, and de- 
stroy sensitive DOD data. I mean, that is a month ago. In July 
1999, GAO reported the Department of Agriculture’s national fi- 
nance center had serious access control weaknesses. And in Octo- 
ber 1999, which is now, we report that the Department of Veterans 
Affairs systems continue to be vulnerable to unauthorized access, 
and they point out one VA insurance center, 265 users who had not 
been authorized access had the ability to read, write, and delete in- 
formation related to insurance awards. 

Have these been remedied? These 22 agencies, have their weak- 
nesses been remedied? 
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Mr. Vatis. I do not know the answer to that question. 

Senator Feinstein. Mr. Tritak. 

Mr. Tritak. I do not know the answer to that question, either. 

Senator Feinstein. Our next panelist does? Good. Perhaps they 
can answer it. I look forward to it. Mayhe that is a good segue. 

Senator Kyl. Thank you very much. 

We would really appreciate your responses, because as we have 
mentioned here, this will be just one in a continuum of hearings. 
We obviously will want to get a report about the timing on the 
completion of the plans and on the operations capability and time 
frames. We will want to have you come back and report that to us. 

I am looking forward, Mr. Vatis, to perhaps even getting into just 
two or three specific kinds of cases, one attack on our defense or 
security infrastructure, one financial attack to steal money, and 
then perhaps another one, either an insider attack or a terrorist 
kind of attack. I think it would be very interesting to have you get 
into detail about — just take two or three or four case studies and 
walk through them and talk about the three or four different kinds 
of intrusion that can take place and how it does without getting 
into too much how-to, obviously. 

I believe that, as Senator Bennett said, this does sound a little 
bit like Tom Clancy, but it is a reality and people are fascinated 
by it. If they can come to be fascinated by it, they can come to be 
concerned about it and then we can help Mr. Tritak and others get 
their job done on a timely basis. 

I thank both of you for being here very much and would like to 
call the next witness now. Jack Brock. We will get started, and if 
we have to be interrupted, we will, but I would at least like to 
begin the testimony. 

Mr. Brock, as I said, is with GAO. He is the Director of the Gov- 
ernment-Wide and Defense Information Systems, Accounting and 
Information Management Division, and will testify specifically to 
what GAO has found with respect to government vulnerabilities 
and hope to be able to answer the questions that Senator Feinstein 
got into. 

Senator Feinstein. I did not mean to jump his testimony. 

STATEMENT OF JACK L. BROCK, JR., DIRECTOR, GOVERN- 
MENT-WIDE AND DEFENSE INFORMATION SYSTEMS, AC- 
COUNTING AND INFORMATION MANAGEMENT DIVISION, U.S. 

GENERAL ACCOUNTING OFFICE, WASHINGTON, DC; ACCOM- 
PANIED BY JEAN L. BOLTZ 

Mr. Brock. I hope so. With your permission, Mr. Chairman, I 
would like to have Ms. Boltz 

Senator Kyl. We welcome Jean Boltz on the panel, as well. 

Mr. Brock. Thank you. 

Senator Kyl. Thank you. Go ahead. 

Mr. Brock. I appreciate very much, Ms. Feinstein, your summa- 
rizing the most interesting part of my statement, and you did it 
very effectively. 

I think the first two witnesses, as well as the opening state- 
ments, Mr. Chairman, of you and Ms. Feinstein and Senator Ben- 
nett, very effectively talked about that there is a real threat, that 
there are real opportunities with connectivity and that these oppor- 
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tunities are wonderful. They offer incredible advances in the way 
we do business, the way we communicate, and the future opportu- 
nities are even greater and we do not want to lose that advantage. 
Almost ironically, though, these same opportunities offer new ways 
of disrupting the national infrastructure, and that is what the pur- 
pose of your hearing is today. 

I want to focus primarily on the Federal portion of that. We have 
reported that 22 of the largest Federal agencies have significant 
weaknesses and our statement details several examples. We could 
have gone on page after page after page of examples, were it 
NASA, at VA, at, although we did not list it in here, the Financial 
Management Service, the Department of Agriculture, agencies that 
have billion dollar portfolios, agencies that protect the national de- 
fense, we have broken into. 

In breaking into these agencies and doing our penetration test- 
ing, we could have done severe damage to the systems, we could 
have done severe damage to the information that was contained in 
those systems, and we could have denied access by the agencies to 
that information. We obviously did not do so, but the risk is there. 
The vulnerabilities are there. 

To get to your point, and I will just answer your question now, 
have the agencies repaired these holes? Yes and no. At the individ- 
ual problem level, they have taken immediate action. All of them 
have been very responsive. However, it is like having a bad roof on 
your house and you are continually having leaks and you put up 
a shingle here and a shingle there and pretty soon you have sort 
of shingled over the house but you are still having the leaks. These 
agencies need a whole new roof It is not just a question of fixing 
the vulnerabilities we find. 

When we go back to agencies — at DOD, we were there 2 years 
ago. We just issued our second report last month. At VA, we were 
there a couple of years ago. We just issued our report. These agen- 
cies had taken good strides in fixing the vulnerabilities we identi- 
fied before, but there were new vulnerabilities that cropped up. 

We believe that at many agencies, computer security is a bot- 
toms-up type of affair, that the real problem needs to be owned, as 
Senator Bennett said, by the top management, and if top manage- 
ment does not own the problem, if they do not provide the re- 
sources, if they do not assign the accountability, then computer se- 
curity is more likely a catch-as-catch-can affair. 

We have been looking at computer security for several years and 
we find the same problem every time — poor access controls, poor 
system controls, poor management controls, and we were just be- 
ginning to repeat ourselves. A couple years ago, we started work 
on what we called best practices or leading practices, where we 
went to a number of organizations that had good computer security 
programs, and almost uniformly, these organizations had one, a 
central point of control, someone that was clearly accountable for 
information security. That person was always accountable to the 
chief executive officer or the chief operating officer. 

There was a real assessment of the risk that that organization 
faced in terms of defining threats, vulnerabilities, and the value of 
the information that the organization had. These organizations 
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then developed policies and procedures and processes that allowed 
them to be responsive to those risks. 

Next, they made people well aware of what their roles and re- 
sponsibilities were and made sure that those were accountable for 
monitoring and maintaining control over the processes and apply- 
ing them. 

And then lastly, there was independent assessment of the organi- 
zation’s performance, and this is a continuous cycle. It is not a one- 
time thing that stops. It goes on and on and on. We think that if 
agencies did this, that, in fact, they could eliminate many of the 
weaknesses that they have right now. Our report has been en- 
dorsed by the CIO Council. It has been endorsed by many individ- 
ual agencies. I think the level of effort, though, goes to endorse- 
ment and we have not seen a lot of real positive action on imple- 
menting the broad management reforms that need to take place. 

I would like to talk a little bit, though, about PDD 63 and the 
current environment that is going on. We see this as a real oppor- 
tunity, that there is now a discussion at a national level about 
issues that could have a significant impact, a positive impact, on 
the ability not only of Federal agencies, but also the ability of the 
entire infrastructure to provide better assurance that 
vulnerabilities will be closed up. 

We have identified seven topics, though, that we think need to 
be addressed in the discussion in order for things to move forward. 
First of all is clearly defined roles and responsibilities. Under the 
current law, there are a lot of agencies that have some set of re- 
sponsibilities and duties. It is not always clear what these are and 
it is not always clear that they are being implemented. PDD 63 has 
also introduced a number of new organizations and many of these 
organizations and processes are immature and have not found their 
way yet. So it is unclear how they are going to relate and inter- 
relate and it is unclear about what sort of impact they can have 
on agencies and on the private infrastructure. So it is important 
that as the debate unfolds, that roles and responsibilities be clearly 
defined, that authorities and accountability be clearly defined. 

Second, we see a need for specific risk-based standards. Right 
now, most of the guidance is very general. For example, NIST 
issues guidance saying that users should be authenticated. Well, 
that can mean anything from a four-digit password to your thumb- 
print. We believe that agencies need more specific guidance on how 
to identify risk, how to categorize these risks, and then have stand- 
ards that are tailored to addressing these risks. 

We think there should be routine evaluations of agency perform- 
ance that we need to measure. If you cannot measure what you are 
doing, if you cannot report on the success, the failures, the opportu- 
nities missed, the opportunities gained, then it is really impossible 
to see what the lessons learned and what you need to do. The CFO 
Act is a good example of this, where there are now independent au- 
dits of agencies’ financial statements, and as a result of that, agen- 
cies have made incredible strides in improving their financial man- 
agement operations over the past 5 years. We think similar oppor- 
tunities exist with computer security. 

Next, executive branch and Congressional oversight. Senator 
Bennett has been instrumental in the Senate in terms of providing 
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very rigorous oversight over Y2K issues. Just as importantly, 
though, most of the individual committees that have oversight over 
individual agencies have also had hearings, and not just one hear- 
ing but multiple hearings. The same thing is true on the House 
side. The same thing is true in the executive branch, where the 
oversight over Y2K has been notably more rigorous than it has 
been on computer security issues. 

As a result of this, many of the hurdles have been overcome by 
the constant pressure of the spotlight being shone on the issue, 
identification of things that need to be done, and solutions reached. 
So a continuation of that type of executive branch and Congres- 
sional oversight and leadership is important in this area, as well. 

The next area is adequate technical expertise. If you do not have 
the right kind of people, you are not going to come up with the 
right kind of solutions, and this is a problem. We have an executive 
council of independent CIO’s in the private sector. They are telling 
us that a system administrator that is well qualified can make 
about $150,000 in the private sector. That is not true in the public 
sector. There is inadequate training. There are just not enough peo- 
ple sometimes to go around. If this problem is not addressed, then 
regardless of the policies and procedures and the good work that 
goes into it, if you do not have the technical resources to carry it 
out, you still will not be able to reach success. 

The next area is adequate funding. The most positive response 
we got to our publication last week on critical infrastructure protec- 
tion, comprehensive strategy control, and year 2000 experiences, 
we pointed out in that report that there was funding for Y2K fixes, 
that the funding was made available not only with the agencies di- 
rectly in their budgets but also in the emergency supplemental 
fund, that there was a relatively good assurance that the funds 
would be available. That is not always true on computer security. 

On the other hand, because of the relatively low level of some 
agencies in terms of their abilities to effectively deal with the prob- 
lem, you do not also want to paper it over with money. You need 
to make sure that if agencies have more funds, that they are also 
prepared to spend them wisely. 

Incident response and coordination, and again, talking about the 
Federal Government, there is no real requirement to report inci- 
dents. As a real matter, within some agencies, we find that even 
within the agency, they do not report incidents, if they are aware 
of it. Certainly, agencies are not uniformly reporting them to 
FedCIRC, housed at GSA, and as a result, opportunities are missed 
to learn from what agencies are experiencing, opportunities within 
the agency and opportunities among the agencies. 

We think that if these seven issues come up for serious discus- 
sion and resolution during the discussion of the national plan and 
then placed on top of a renewed infrastructure within the agencies, 
that solutions are available to improve computer security within 
the government. There is no panacea. There is no magic bullet. 
There is no assurance that problems will be completely eliminated, 
but we think there is lots of opportunity for improvement. 

Mr. Chairman, that concludes my statement, and Ms. Boltz and 
I would be happy to answer any questions you might have. 
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Senator Kyl. Thank you. There are other important hearings 
going on today, but I think what you have said here, while I know 
it has been in the public domain before, maybe has not been fo- 
cused on, and I think it is important that I repeat just a little bit 
of it and have you comment on it. 

You are basically saying that through your audits, the GAO au- 
dits, you found that our government — I am quoting now — “is not 
adequately protecting critical Federal operations and assets from 
computer-based attacks.” You go on to say that the audits show 
that 22 of the largest Federal agencies have significant computer 
security weaknesses, right? 

Mr. Brock. That is correct. 

Senator Kyl. You further say that reports issued over the last 
5 years describe persistent computer security weaknesses that 
place Federal operations such as national defense, law enforce- 
ment, air traffic control, and benefit payments at risk of disruption, 
as well as fraud and inappropriate disbursements, I think is the 
word, or disclosures. 

Mr. Brock. Yes, sir. 

Senator Kyl. Specific incidents, you mention just this year you 
successfully penetrated several mission-critical systems of NASA. 
Just in August of this year, you reported weaknesses in DOD’s sys- 
tem that provide people the opportunity to modify, steal, inappro- 
priately disclose, or destroy sensitive DOD data. You talked about 
the fact that DOD functions, including weapons and supercomputer 
research, as well as others, have already been adversely affected by 
system attacks or fraud. 

Mr. Brock. That is correct. 

Senator Kyl. See, those are very important, disclosures that are 
important for the public to appreciate, and I do not believe that the 
message has gotten out yet. I am told that you have to repeat 
something 6 times before it takes hold. Maybe that is true in the 
Senate; I am not sure about the public generally. But I think it is 
important that the results of this GAO work be conveyed to the 
public in order to help generate the support for the financial sys- 
tems that is needed as well as the other reforms that you pointed 
out can be accomplished. 

Let me ask you whether you can say whether in these attacks 
by GAO you were able to gain access to classified information. 

Mr. Brock. We were focusing our penetration test on sensitive 
but unclassified systems. 

Senator Kyl. OK. 

Mr. Brock. The last thing I ever want to see is a headline in the 
morning saying, “GAO Brings Down Critical Systems.” 

Senator Kyl. Yes. Why has it taken so long for FDD 63 to get 
off the ground? You mentioned that there has been no real action 
on the broad reforms that are necessary, and we heard testimony 
earlier that you heard about the delays of well over a year in get- 
ting this plan off the ground. Why is it taking so long? 

Mr. Brock. I think there are a couple of reasons. First of all, let 
me say that I think the concept behind PDD-63 is long overdue. 
However, you are starting from an environment where there was 
not a lot of consensus over what needed to be done and how it 
should be done, and I think that part of the delay has been in 
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building that consensus. I think part of the delay, as well, is one 
of the requirements of PDD 63 is for each of the agencies to de- 
velop a plan. It has taken a long time to develop those plans and 
it is taking a long time to get them in the kind of shape, because 
they are also starting from ground zero. 

So part of it is trying to bring some people together that may 
have some different agendas. I think that is important to do that. 
Part of it, I am sure, is logistics, and part of it has been, I believe, 
the inability of some agencies to respond with the kind of material 
that was required by PDD 63. 

Senator Kyl. Let me add just two more things. First of all, this 
subcommittee will continue to explore, in particular, any legislative 
action that might be necessary. We can generate that as an ongo- 
ing committee of the Senate. The Y2K Committee, of course, does 
not do that, but they point out problems and then we can take it 
from there. So we will continue to focus on that, and if there are 
any legislative suggestions that you want to bring to our attention 
that become apparent, or the need for which becomes apparent as 
a result of your auditing, I hope you will just consider this an open 
request to do that. 

But second, I am going to quote one statement you conclude your 
statement with, that weaknesses continue to surface because agen- 
cies have not implemented a management framework for over- 
seeing information security on an agency-wide and ongoing basis. 
Because of that, I am going to recommend to the chairman of the 
Government Operations Committee, which would have a different 
kind of oversight jurisdiction, to review your audits very carefully, 
prioritize them in some way to identify those that seem most be- 
hind, and to begin bringing them in, agency by agency, to ask very 
specific and very hard questions using the information from your 
audits to bring to light some of the deficiencies. Obviously, the goal 
here is not to point fingers, but as you pointed out, to get on with 
the fixes that have to be put into place. 

Do you have any other comment about what we could do to help 
advance this all, in addition, of course, to helping to provide the re- 
sources that you identified earlier? 

Mr. Brock. I think the constant spotlight, the questions, the sug- 
gestion you had for the committee to bring the individual agencies 
up, I mean, that imposes a level of accountability that forces action. 
It forces the top management within those agencies to say, here is 
an issue that Congress is interested in. I need to elevate my own 
interest. As I said, that was very successful in Y2K and I think it 
can be successful in computer security, as well. 

Senator Kyl. Whether we do that in this subcommittee or if an- 
other full committee takes that oversight, we will expect to maybe 
check back with you in a few months, maybe sometime mid-year 
next year and have you give an honest, straightforward, unvar- 
nished evaluation of how our government agencies are doing. 

Mr. Brock. We will do so, sir. 

Senator Kyl. Thank you. Senator Feinstein. 

Senator Feinstein. Thanks, Mr. Chairman. You know, Mr. 
Brock, first of all, again, your report is very straightforward and 
I appreciate that very much. But we have all heard the same 
adage, you cannot squeeze blood out of a turnip. In many respects. 
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the Federal Government is a turnip in this respect. You pointed out 
the differential in salaries. The private sector goes out, they get the 
most experienced personnel, their cutting-edge software, all the 
rest. I question whether we really have the expertise to do what 
is necessary. 

I read your conclusions and your suggestions in your report, but 
the one thing where this is really lacking is how do you get that 
kind of cutting-edge technical knowledge that departments can go 
to and say, here, I know we have a problem. Do something about 
it. It seems to me we lack that. Now, whether it can be contracted 
out for in the private sector, whether the government has to put 
together some specific area and really bring together the brightest 
and the best across the nation to do this, I do not know. 

But it seems to me that you can go to someone and say, look, you 
have got a big problem, and they can look at it and they may not 
even know how to remedy it or even have the people that can make 
the suggestions that were adequate. You spoke about a new roof 
I do not think you are going to get a new roof unless we can reach 
out in an unprecedented way. 

Mr. Brock. I agree with you. Senator. There are sort of two as- 
pects of that. One of the things that I believe that the national plan 
is contemplating on proposing are initiatives in terms of increasing 
skills and abilities, sponsoring more research and development in 
the area, training people, providing opportunities. People have been 
looking at salary differentials and ways of addressing that. 

So looking at ways of bringing on skills, either by improving the 
skills on board or attracting new people, that is one issue. Con- 
tracting out, under proper controls, is an issue. Many of the weak- 
nesses that we identified, though, are almost no cost. 

When we go into agencies, for example — and these are real ex- 
amples — and we find the schematic for their network topology on 
the website and we find on another website an open discussion of 
the weaknesses they have over some of their controls, it is like a 
bank saying, here is our building plan and here is our guard sched- 
ule and here are the guards that have bullets and here are the 
guards that do not. I mean, there are some basics like that that 
just require basic attention. 

The other big area that is really, again, very basic is that many 
of our penetration tests are done through password guessing. We 
have these programs that just generate password after password 
after password and people are very lax in changing their pass- 
words. They use overly simplistic passwords. This is one of the rea- 
sons we were calling for different standards for risk. For some 
types of information, a simple four- or five- or six-digit password 
probably is not enough. You need another level of protection. 

So there are a lot of basic things, and some agencies have made 
remarkable progress in terms of addressing this within more of a 
comprehensive management perspective, where they are improving 
their information management across the board. 

For example, when we have looked at controls at the Federal Re- 
serve, they are very well done. They also have a very good Y2K 
program. They also have a very good information management pro- 
gram. 
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We have had some negative reports about IRS and its computer 
security. Recent reports have indicated they have been making real 
progress, and also, and I do not think it is coincidental, we have 
also noted that they made real progress in the way they manage 
their big systems development efforts, as well. 

So management attention is the most critical factor, but I would 
agree with you that providing the availability of resources is a 
thorny issue and it may be one of these areas, Mr. Chairman, 
where some sort of legislative alternatives may need to be looked 
at. 

Senator Feinstein. In your report, you mention that the exam- 
ples that I mentioned and Senator Kyi went over more thoroughly 
are just examples of weaknesses. I would like to ask for the full 
list of weaknesses that you found. 

Then second, I would like to ask you to go back in one month 
and repeat this and see if those weaknesses have been remedied. 
I will bet you they have not. I will bet you 25 cents they have not. 
That will be my request, and I will put that in writing to you, as 
well. But I would like to see the full list rather than just the exam- 
ples, if I might, of the 22 departments. 

Mr. Brock. OK. We can provide you with an overview of each 
of the 22 and details to support them, as well. 

Senator Feinstein. Thank you very much. Thanks, Mr. Chair- 
man. 

Senator Kyl. Senator Feinstein, by the way, I will see your bet 
and raise you, but we will not convey it on the Internet. How is 
that? 

Senator Feinstein. All right. 

Senator Kyl. We probably should consider writing a letter to the 
President and perhaps the Director of the 0MB to encourage them 
as they begin thinking about the new budget that they will be pre- 
paring for submission to the Congress next year, that they be very 
alert to the requests of the different agencies for the financial re- 
sources to accomplish all of these objectives so that it is not a mat- 
ter of after the fact, that they are all focusing on their needs early 
on, they put those needs down, and the President is fully cognizant 
of them when he submits his budget to us. 

Senator Feinstein. May I make one suggestion? 

Senator Kyl. Absolutely. 

Senator Feinstein. The prior speakers brought out that there 
was no requirement to report incidents. There should be a require- 
ment to report incidents. 

Senator Kyl. Mr. Brock, you alluded to that, as well. Do these 
agencies just not have an interagency protocol? 

Mr. Brock. It is really unclear to me whether it is a matter of 
choice that they do not report or just a simple matter of omission. 
But most of them, or many of them, do not report incidents. Jean, 
do you have anything to add to that? 

Ms. Boltz. Yes. In many cases, there is really not a commonly 
accepted definition of what an incident is. It can be just a probe, 
it can be an attack, an actual intrusion, which may or may not 
cause damage. So there are really no rules about what to report to 
whom and to when. 
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Senator Kyl. I agree with Senator Feinstein. This is the kind of 
thing where there has got to he a consistent policy, and if it cannot 
be done through the plan — I think the first thing would be to see 
if we can get them to put that in the plan for sure. If not, then 
legislation would be perhaps appropriate. 

But as Senator Bennett has pointed out before, come January 1, 
who is to know what it is? The computer goes down. Well, was it 
because of Y2K? Was it because somebody was taking advantage 
of Y2K? Was it because there is just an effort to disrupt, or maybe 
was that the result of something more intrusive? So you cannot 
know for sure, and that is why, what I think Senator Feinstein’s 
point is, all of these incidents need to be reported and then we can 
sort out later what the problem is. 

Senator Feinstein. Could we write a letter formally from us to 
Mr. Tritak and ask that this be included in the plan? 

Senator Kyl. I think that is a good suggestion. 

Senator Feinstein. And we could put some specifics into that re- 
quest. 

Senator Kyl. And we might even call upon Mr. Brock and Ms. 
Boltz to help us formulate that. 

Senator Feinstein. Yes. 

Senator Kyl. I really appreciate your being here today. 

[The prepared statement of Mr. Brock follows:] 
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Chairman and Members of the Subcommittw:: 


Ws aie pleased to be here today to discus tl» “cyber ” or computer security aspects of critical 
inixastructure protection. Since the eariy i990s, an explosion in computer intstconnectivity, 
most nc^ly growth in use of the Internet, has isvolutianized the way our government, our 
nation, and much of the world communicate and conduct business. The benefits have been 
enormous in tenns of facilitating communications, business processes, and access to 
infonnadon. However, without proper safeguards, this widespread intereonnectivity poses 
enormous risks to our computer systems and, more importantly, to the critic at operations and 
infrastructures they support including telecommunications, power distribution, emergency 
services, law enfoiceraent, national defense, and other government services. 

Today, I will focus on federal agency performance in addressing computer Security issues. 
Recent audits by GAO and agency inspectors general (IG) show that our government is not 
adequately protecting critical federal (^rations and assets from computer-based attacks. 
These audits show that 22 of the largest federal agencies have significant computer security 
weaknesses. Addressing this wiebspread and persistent problem requires significant 
management attention and action within individual agencies as well as increased coordination 
and oversight at the govemmentwide level. I will now provide greater detail on these 
pToblerns and discuss broader issues that need to be considered as a national strategy for 
critical infrastiuctuTe protection is being considered. 

WEAKCONIROLS PLACEJTOSRAL PROGRAMS AXRTSK 

GAO and IG reports issued over the last 5 years desciibe persistent computer security 
weaknesses th^ place federal operations such as national defense, law enforcement, air traffic 
control, and benefit payments at risk of disruption, as well as fraud and mappiopriate 
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disclosures,^ Our most recent analysis, ctf i^KJits issued during fiscal year 1999, identified 
significant computer security weafaiesses in 22 the largest federal a^ncies.^ These 
included wealcncsses in (1) controls ova- access to sensitive systems and data, (2) controls 
over software development and chan^, and (3) continuity of service plans. These types of 
weaknesses increase the risk that intraders or authorized users with -raalicious intentions could 
read, modify, delete, or otherwise damage infe^ation or disrupt operations for puiposcs* 
such as fraud, sabotage, or espionage. This body of audit evidence led «s, in Feteusxy 1997 
and again m January 1999, to designate information security as a govemmentwide high-risk 
area m reports to the Congress? 

Examples of tiiese weaknesses and the risks they present include the foEowing. 


• In May 1999, we tsported that, as part of our tests of the National Aeronautics and Space 
A<hmmstration’s (NASA) computer-based controls, we successfully penetrated several 
mission-cTitical systems. Having obtained access, we could have disrupted NASA‘s 
. ongoing command and control operatioDs and stolen, modified, or destroyed system 
softw^ and data.'* 


♦ in August 1999, we reported that serious weaknesses in Department of IDefensc (DOD) 
information security continue to provide both hikers and hundreds of thousands of 
auriiorized users the opportunity to modify, steal, inappropriately disclose, and destroy 
sensitive DOD data. These weaknesses impair OOP’s ability to (1) control physical and 
electroTuc access to its systems and data, (2) ensure that software running os its systems is 
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properly authorized, tested, and fundaoning as intended, <3) limit employees’ ability to 
perform incompatible fimcdaas, and (4) results opemtions in the event of a disaster. As a 
result, numerous Defense functions, deluding weapons and supercomputer research, 
logistics, finance, procuremeni, peraonnel management, military health, and payroll, have 
already been adversely affected by system attacks or fraud.* 


• In July 1999, wc reported that the Department of Agriculture’s (USDA) National Finance 
Center (NFC) had serious access control weaknesses that affected its ability to prevent 
and/or detect unauthorized changes to payroll and other payment data or computer 
software. NFC develops and operates administrative and financial systems, including , 
payKll/personnel. pnaperty management, and accounting systeirs for both the USDA and 
mom than ^ other federal orgrolzations. During fiscal yesr 1998, NFC processed more 
than $19 billion in payroll payments for more than 450,000 federal employees. NFC is 
also responsible for maintaining records for the world’s largest 401(k)-type program, the 
federal Thrift Savings Program. Ihis program, which is growing at about $1 billion per 
month, covers ^out 23 million employees and totaled more than $60 billion as of 
Sept^ber 30, 1998,® The weaknesses we identified increased the risk that users cotdd 
cause improper payments and chat sensitive information could be misused, improperly 
tUsciosed, or destroyed. 

• In October 1999, we reported that Department of Veterans Affairs (VA) systems 
continued to be vulnerable to unauthorized access.^ VA operates the largest healthcare 
delivery system in the United States and reported spending more dian $17 billion on 
siudicai care in fiscal ^ar 1998. The department also processed more than 42 million 
benefit payments totaling about $22 billion in fiscal year 1998 and pro^^ded life insurance 
protection through more than 2.4 million policies that represented about $23 billion in 
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coverage. In providing these benefits and services. VA collects and maintains sensitive 
medical record and benefit payment infonn^on for veterans and their family members. 
GAO, as well as the VA IG, continued to find serious problems that placed sensitive 
information at increased risk of inadvertent or deUberate misuse, fraudulent use, improper 
disclosure, or destruction, passible occorring without detection. For example, at one VA 
insurance center, 265 users who had not been authorized access had the abi lity to read, 
write, and delete infonnation related to insurance awards. Such unauthorized access canid 
lead to improper insurance payments. 

POOR SECTIRTTY PROGRAM MANAGEMENT IS 

THE RJNDAMHNTAL CAUSE OF POOR COMPUTER SECURITY 

•While a number of factors have contributed to weak federal information security, such as 
insufficient understanding of risks, technical staff shortages, and a lack of system and security 
architectures, the fundamental underlying problem is poor security program management. We 
reported on this piublcm in 1996 and, again, in 1998,® noting that agency managers are not 
ensuring, on an ongoing basis, that risks are identified and addressed and that controls are 
operating as intended. In many cases, senior agency officials have not recognized that 
computer-supported operations are integral to carrying out their missions and that they can no 
longer relegate the security of these operations solely to lower-level technical specialists. For 
these reasons, it is essential that this fundamental problem be addressed as part of an effective 
information technology management strategy, which will also serve to strengthen critical 
in&astructure protection. 

Agencies have responded to scores of recommendations for improvement made by us and by 
agency inspectors general. However, similar weaknesses continue to surface because 
agencies have not implemented a management framework for overseeing information security 
on an agencyvwde and ongoing basis. Instead, there is a tendency to react to individual audit 
findings as they are reported, with little ongoing attention to the systemic causes of control 


’QAO/AtlVlB-96-110, September 24, 1996, and GAO/AIMD-9S.82, September 2.2, 1998. 
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To identify potential soiiitk>ns to this problem, we sUidied the security management practices 
of eight notrfcderal organizatioDS knows ftH* tiseir superior security programs- We found that 
these organizations managed their inh^rmatiem security risks through a cycle of risk 
management activities.^ Ihe basic fran^woric—built on 16 specific practices— allows risk 
management through an ongoing cycle of activities coordinated by a central focal point. The 
management process involves 

• assessing risk to determine infonnation security needs; 

• developing and implementing policies and controls that meet these needs; 

• promoting awaren^s to ensure that risks, roles, and responsibilities are understood; and 

• instiruting an ongoing program of tests and evaluations to ensure that policies and controls 
are appropriate and effective. 


The Risk Management Cycle 




•98-68, May 1998). 
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The guide is generally consistent with OMB and NIST guidance on information security 
program management, and it has been enstoreed by the CIO Council as a useful resource for 
agency manats. 

One agency that has illustrated the value of these managfement practices in sirengthemiig 
computer security is the Internal Revenue Service (IRS). The IRS has made significant 
progress by acknowledging the seriousness of its computer security we-^nesses, consolidating 
overall responsibility for computer security managematit, reevaluating its approach to 
coic^uler security management, and develc^ang a high-level plan for mitigating the identified 
weaknesses.'® 


A COMPREHENSIVE STRATEGY FOR IMPROVEMENT IS NEEDED 


While adopting the piacticea recommended by the guide can better prepare agencies to protect 
their systems, d^ect attacks, and react to security breaches , other actions are also needed to 
improve oversight and otherwise address the problem from a govemmentwide peirepective. 

Presidential Decision Directive (PDD) 63, issued in May 1998, recognized that addressing 
conjputcT'based risks to oar nation’s critical infrastructures requires an approach that involves 
coordination and cooperation across federal agencies and among public and private-sector 
entities and other nations. In this regard, PDD 63 established several entities to coordinate 
infrastructure protection efroits.” Howev^. the details of the FDD’s approach have not been 
finalized. As a result, a major objective of PDD 63 to make the federal government “a mode) 
to the private sector on how best to protect critical infrastructure,” has not been realized nor is 
it'clearhow this objective will be met. 


5, December 14, 1908). 
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“ In May 1998, PDD 63 created several new entides in rbe Matioaal Seenrity Council the D^srtment of 
Commerce, and tbe Federal Borcao of hivcstigalion which also have respomifaiJity for guiding and overseeing 
and coordinating agency security with a focus on critics.) infrastructure proteetion. 
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To provide peatcr assurance that critical infrastructure objectives can be met, we believe that 
actioTB are needed in seven k,ey areas. I will briefly discuss each of these. 

Clearly Defined Roles and Responsibilifes 

First, it is important that the federal strategy delineate the roles and responsibilities of the 
numerous entities involved in federal information security and lelated aspects of critical 
infrastructure protection. Under cinrent law, 0MB is responsible for overseeing and 
coordinating federal agency security, and the National Instimte of Standards and Technology 
(NIST) with assistance &ojn the National Security Agency (NSA) is responsible for 
establishing related standarda.^^ In addition, interagency bodies such as the CIO Council and 
the entities created under FDD 63 are attempting to coordinate agency initiatives. 

While these organizations have developed fundamentally sound policies and guidance and 
have undertaken potentially useful initiatives, effective improvements are not taking place. 
This is due, in part, to the relative immamrity of the recently established processes. It is also 
unclear bow the activities of these many organizations interrelate, who should be held 
accountable for their success or failure, and whether they will effectively and efficiently 
support national goals. 

Constraints on resources and the urgency of the problem require that government activities are 
designed and coordinated to achieve clearly understood goals. There must also be clear 
linkage between policy guidance, technical standards, and agency practices to ensure 
responsibility/accountability for actual improvements. 

Specific Risk-Based Standards 

Second, agencies need more specific guidance on the controls that they need to implement. 
Currently agencies have wide discretion in deciding (1) what computer security controls to 

^ The Computer Security Act and the Paperwork Reduction Act. 
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implement and (2) the level of rigor wxlfe which fhcy esifome th^e contmis. In theory, riiis is 
appropriate since, as OMB and NIST guidance states, the level of protection that agencies 
provide should be commensurate wife feeiisktoa^ncy operations ami asseis. In essence, 
one set of specific controls will not be appropriate for ail types of systems and data. 

However, our studies of best practices at leading organizations have shown that more sp^hfic 
guidance is impoitaat. In particular, specific maiuiatoiy standards for varying risk levels can 
clarify expectations for information protection, including audit criteria; provide a standard 
&amework for assessing informatioii 8«:iirify risk; and help ensure that shared data are 
appropriately protected. Implementing such standanis for federal agencies would require 
developing (1) a single set of information classificaticf) categories for use by all agencies to 
define fee criticality and sensitivity of the various types of infemnation feey maintain and (2) 
irdnimum mandatory requirements for protecting information in each classification category. 

Routine Evaluations of Agency Performance 

Third, routine periodic audits must be impiemented to allow for meaningful performance 
measurement. A requirement for periodic examinations of controls in operation would 
sigtificantly sfeengthen oversight requirements in the Computer Security which focus on 
evaluating agency security plans, rather than practices. 

Ensuring effective implementation of agency infiwmatiwt security and critical infrastructure 
protection plans will require monitoring to deteimine if milestones are being met and testing 
to deletmine if policies and controls are operating as intended. Evaluations at several levels 
can be beneficial. Tests initiated by agency officials are essential because they provide 
information needed to fulfill their ongoing responsibility for matiagiag security programs. 
Evaluations initiated by independent auditors, such as a^ncy inspectors general, can serve as 
an independent check on management evaluations and provide useful information for 
congressional and executive branch oversight. Summary evaluations performed by entities 
such as OMB, GAO, or the CIO Council can provide a govemmentwide view of progress and 
help identify crosscutting problems. 
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At present, there is no requirement forperio^c independently initialed tests and evaluations 
of agency computer security pro^ams. As a nesnlri information for measuring the 
effectiveness of agency security programs, and thus, holding agency managers accountable is 
limited. While some control testing is done in support of annual independent financial 
statement audits, ensuring routine periodic testing of all critical agency systems— both 
financial and aonfinancial — ^may require new Jc^slation. 

Executive Branch and Congressional Oversight ' 

Four^, the executive branch and the Congress must effeciiveiy use audit results and 
perfonnance measures to monitor agency performance and take whatever action is deemed 
advisable to remedy identified problems. Such oversight is essential to hold agencies 
accountable for thdr performance and was demonstrated by the recent OMB and 
congressioiial efforts to oversee the Year 2000 challenge. 

Adequate Technical Expertise ' 

Fifth, it is important for agencies to have the technical expertise they need to select, 
implement, and maintain controls that protect their computer systems. Similarly, the federal 
government must maximize the value of its technical staff by sharing expertise and 
information. TTic Computer Security Act autiiorizcd NIST to provide assistance to agencies 
and included provisions for periodic training in coo^uter security awareness and practice. 
However, as the Year 2000 challenge showed, the availability of adequate technical expertise 
has been a continuing concern to agencies. 

A number of programs and recommendations have been proposed that merit congressional 
study. For example, prompted in part by concerns over technical staff shottages affecting 
Year 2000 efforts, the CIO Council’s Education and Training committee studied ways to help 
agencies recruit and retain information technology personnel, The resulting report provides 
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an extensive description of the current status of federal infonnation technology employment, 
improvement efforts cuirendy underway, and iktailed proposals for action. 

Adequate Funding 

Sixth, agencies must have resources sufficient to support their computer security and 
inffastructure protection activities. Funding for security is already embedded to some extent 
in agency budgets for computer system development efforts and routine network and system 
managsnmt and maintenance. However, some additional amounts are likely to be n^ded to 
address specific weaknesses and new tasks. Also, addressing the Year IKKK) challenge has 
resulted in {K>stponenient of many program and informafion technology initiatives — 
indmiing system enhancements and computer security.’’ OMB and congressional oversight 
of future spending on computer security will be in^>o£taiit lo ensure that agencies are not 
using the funds they receive to continue ad hoc, piece meal security fixes not supported by a 
strong agency risk management framework- 

Incident Response and Coordination 

Seventh, there is a need to more comprehensively monitor and develop responses to 
intrusions, viruses, and other incidents that threaten federal systems. Several entities are 
already providing some central cooidicatios in ffiis area-including the FBI, NIST, and the 
f edCIRC. However, the specific roles and responsibilities of these organizations, as well as 
the balance between governmentwide and individual agency responsibilities, should be 
clarified and expanded to provide a more comprehensive picture of the security events that are 
occuiTing and assistance in dealing with them. 


Such efforts can take several forms that provide differing benefits. For example, a 
govemnuntwide response center could provide immediate emergency assistance to agencies 
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experiencing intnisions or odier potential probl^ns. It couid also provide assistance on a 
non-emergency basis, especially by alerting agencies to new threats and vTilnerabilitiiK and 
helping dietn identify actions to prevent oc mitigate incidents. By calling on a center for such 
assistance, agencies could tap into a source of ^ccialized expertise that may be difficult and 
expensive to rnaintmn at the individual agency level. A govemmentwide center could also 
serve as clearinghouse of infeemadon on incideiUs that would be available to federal agencies 
and the public. Such information can be valuable in estimating the significance of different 
types of information security risks. For exan^le, when the K^Ussa ^nis surfed earlier this 
year, we found that there no single place to obtain complete data on what agencies were 
hit and. how they were aff«:ted. Moreover, there were no data available that quantified the 
impact of the virus in terms of prodiKtiviiy lost or the value of data lost. 

Rnally, it is important to recognize that, by itself, a central clearin^ouse is not complete 
solution for the infonnation security {^blems across the federal government. A^ndes 
themselves must still use this information effectively to assess risks to their own compute- 
supported oi^iiations and to develop and implement sound luanageineni controls. 


Id conclusion, Mr. Chairman, I want to stress that there are no simple solutions to improving 
computer security throughout the government. What is dear is that a bottom up approach will 
not work. To begin to meet the lofty goal of FDD 63 — ^making the government a model — ^wiU 
require sustained top management support, consistent oversight, and additional levels of 
technical and hrnding support. Taking steps to address the issues outlined in my statement 
could help the government put its own house in order and more effectively work with the 
private sector to protect critical infrasmictures. This concludes my testimony. I will be happy 
to answer any questions you orMenti^ers of the Sdxommitiee may have. 

(5110653 


*“FcdCIRC— -the Federal Computer Incident Response Capability — a reporting center at the General Services 
Admirusbration. 
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Senator Kyl. I also want to note that Mr. Richard Schaeffer, Di- 
rector of Infrastructure and Information Assurance, Office of the 
Assistant Secretary of Defense, has submitted a written statement 
which will be included in the record. His statement comments on 
DOD’s role and responsibility relative to the FDD 63 and the na- 
tional plan. 

[The prepared statement of Mr. Schaeffer follows:] 

Prepared Statement of Richard C. Schaeffer, Jr., Director, Infrastructure 

AND Information Assurance Office of the Assistant Secretary of Defense 

INTRODUCTION 

Information Superiority is essential to our capability to meet the challenges of the 
21st Century. It is a key enabler of Joint Vision 2010 and its four fundamental oper- 
ational concepts of dominant maneuver, precision engagement, full dimensional pro- 
tection and focused logistics. This is because each of these concepts demands that 
we obtain, process, distribute and protect critical information in a timely manner, 
while preventing our adversaries from doing the same. Without Information Superi- 
ority we will, very simply, not be able to achieve the goals established by the De- 
partment in Joint Vision 2010. 

Information technology has provided us with a means to gain a military advan- 
tage over our adversaries while actually reducing our force structure. These tech- 
nologies have made precision strike and focused logistics possible. They allow us to 
attack targets surgically with fewer munitions (albeit more expensive ones), and 
manage our logistics requirements more efficiently so we can move forces much far- 
ther and faster — and sustain them — than we have ever been able to do before. Simi- 
larly, information systems are essential to the situational awareness needed to 
achieve dominant maneuver and full dimensional protection. 

But our dependence on these systems, and their presence in every aspect of our 
operations, has made us very vulnerable should they be disrupted. The same tech- 
nologies we can use to such advantage are becoming available to our adversaries. 
And because they are relatively inexpensive and accessible, the range of adversaries 
that potentially can cause great disruption has broadened considerably. 

We no longer have the luxury of focusing our defense, as we once did, mainly on 
our peer competitors. We now have to establish defenses that will defeat attacks by 
major adversaries as well as by the terrorist, hacker, and disenchanted insider — and 
the latter is a significant challenge. In the past much of our defensive efforts fo- 
cused on protecting our offensive capabilities. Now we also have to protect an exten- 
sive DOD information infrastructure — virtually all of which depend on commercial 
communications networks — as well as the other critical Defense infrastructures it 
supports. We simply cannot conduct and sustain offensive operations without these 
critical infrastructures. 

I am not especially concerned about our ability to develop and employ the infor- 
mation technologies needed to achieve the strike, maneuver, and other offensive 
goals of Joint Vision 2010, I am very concerned about our ability to defend the infor- 
mation systems that make actual offensive operations possible. Not too long ago we 
focused primarily on the “confidentiality” aspects of our information systems (can 
we keep something secret). Today, we must address a much broader concept that 
we call ‘Information Assurance.’ This includes not only confidentiality of informa- 
tion, but also the integrity of the data bases from which it’s drawn, the availability 
of the infrastructure to deliver the message, our ability to identify and authenticate 
those who are using our networks, and non-repudiation features to keep people from 
reneging on electronic contracts. These five factors: confidentiality, integrity, avail- 
ability, identification and authentication, and non-repudiation constitute informa- 
tion assurance or LA. 

Over the past two years, we have initiated a number of efforts to improve the 
overall information assurance posture of the Department. We established a Defense- 
wide Information Assurance Program (DIAP) to bring a comprehensive LA approach 
to this almost overwhelming challenge of building and sustaining a secure informa- 
tion infrastructure. Since 1997 we have conducted a number of exercises, and expe- 
rienced real world events, that have emphasized to all of us in DOD that our infor- 
mation systems are interconnected, and hence interdependent. This means that we 
conduct our daily operations in a shared-risk environment, underscoring the need 
for all organizations connecting to a network to thoroughly understand the risks 
that exist prior to operating in that environment. Each organization must know in 
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advance whether they can accept, manage, or adequately mitigate risks that have 
been accepted by others before connecting to a network. 

ELIGIBLE RECEIVER, in June 1997, was the first large-scale exercise designed 
to test our ability to respond to an attack on our information infrastructure. De- 
signed to test DOD planning and crisis-action capabilities, it also evaluated our abil- 
ity to work with other branches of government to respond to an attack on our Na- 
tional Infrastructures. 

ELIGIBLE RECEIVER revealed significant vulnerabilities in our information sys- 
tems and the interdependence of the defense and national information infrastruc- 
tures. It showed that we had little capability to detect or assess cyber attacks and 
that our “indications and warning” process for cyber events was totally inadequate. 

A few months later, in early 1998, we experienced a series of attacks that targeted 
DOD network Domain Name Servers, exploiting a well-known vulnerability in the 
Solaris Operating System. Known as SOLAR SUNRISE, these attacks were wide- 
spread, systematic and showed a pattern that indicated they might be the prepara- 
tion for a coordinated attack on the Defense Information Infrastructure. The attacks 
targeted key parts of Defense Networks at a time we were preparing for possible 
military operations in Southwest Asia. 

SOLAR SUNRISE validated the findings from ELIGIBLE RECEIVER and helped 
focus the legal issues surrounding cyber attacks. Because of the world situation, it 
was a high interest incident that significantly increased pressure for a quick re- 
sponse. It also validated the need to establish a standing response team. The ELIGI- 
BLE RECEIVER/SOLAR SUNRISE experience resulted in a number of defensive ac- 
tions being taken. Specifically, we have: 

• Increased our situational awareness by establishing a 24-hour watch. 

• Established positive control over the identification and repair of information 
systems at risk — SOLAR SUNRISE could have been prevented had available 
patches been in place in certain computer operating systems! 

• Installed intrusion detection systems on key system nodes. 

• Expanded computer emergency response teams to perform alerts, critical triage 
and repair. 

• Developed contingency plans to mitigate the degradation or loss of networks. 

• Improved our ability to analyze data rapidly and assess attacks. 

• Established a close working relationship with the National Infrastructure Pro- 
tection Center (NIPC), teaming with law enforcement agencies and developed 
procedures to share information with the private sector. 

• Increased “red team” exercises to test our systems and improve our operational 
readiness. 

Dependence on interconnected information systems and networks will only in- 
crease as we move into the 21st Century and towards Joint Vision 2010. We cannot 
eliminate this “networked dependence,” so we have to meet the challenges of Com- 
puter Network Defense, even as we change our systems to make them less suscep- 
tible to attack. Defending a computer network is a significant challenge and the 
challenge is increasing daily. Actually, it is a set of very significant technical chal- 
lenges and associated legal and social issues. There are significant technical prob- 
lems with characterizing and attributing attacks in complex networks that have no 
real borders. And as we develop technical solutions, we inevitably find ourselves im- 
mersed in a host of policy and legal issues — law enforcement versus national secu- 
rity interests, domestic versus foreign intelligence — while trying to work significant 
operational problems requiring the most urgent attention. 

To address the operational response problem in a coherent and integrated man- 
ner, the DOD activated a Joint Task Force for Computer Network Defense (JTF- 
CND). Established in December 1998, it is directly responsible to the Secretary of 
Defense. The Joint Task Force is, in conjunction with the CINC’s, Services and 
Agencies, responsible for coordinating and directing the defense of DOD computer 
systems and computer networks. Its mission includes the coordination of DOD de- 
fensive actions with non-DOD government agencies and appropriate private organi- 
zations. This is a major first step in restructuring the Command and Control regime 
in the Department to address the crucial importance of computer network defense 
in both our war fighting and business operations. The task force is based in Wash- 
ington to provide interagency access and leverage established relationships with the 
Federal Bureau of Investigation (FBI), Central Intelligence Agency (CIA), Defense 
Intelligence Agency (DIA), and the National Security Agency (NSA). It provides a 
single, accessihle DOD point of contact with the NIPC. And it is co-located with the 
Defense Information Systems Agency (DISA) so that it can leverage their technical 
and operational capabilities: their network management center, an established 24 
hour operations center, and regional operations centers with CINC liaison. This co- 
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location also facilitates coordination with the National Communications System. As 
of October 1, 1999, the United States Space Command was assigned responsibility 
for computer network defense (CND), with JTF-CND reporting directly to this uni- 
fied command. 

It is important to understand that we will always have to deal with a network 
of interconnected and interdependent information infrastructures that serve an 
ever-expanding set of interrelated communities. We cannot avoid this global inter- 
action. And we, DOD and the U.S. Government, will have relatively little effect on 
its evolution. We must take advantage of it, understand its perils, and design an 
appropriate level of security into our systems and procedures. We have to learn to 
adapt our security practices to the evolving global environment. 

At the same time we must be ever vigilant to a world that is an increasingly dan- 
gerous place. As we’ve improved our ability to monitor network activities, the num- 
ber of probes, intrusions, and cyber events we can observe continues to increase. We 
are now detecting 80 to 100 events daily. Of these approximately 10 each day re- 
quire detailed investigation. Such investigations are carried out by many of the 
same people we rely on to keep our networks operational, so there are limits on the 
resources we have to work with. 

We also must recognize that the interconnected nature of the information infra- 
structure, and the increasing availability and sophistication of hacker tools, places 
at risk immediately any information that is not properly secured. We are increas- 
ingly concerned about those who have legitimate access to our networks — the trust- 
ed insider. This is consistent with industry experience, which reports significant 
losses from disgruntled or dishonest employees. 

We have taken significant steps to increase our internal security and security 
awareness, but again, vigilance is the watchword. Internet exploitation operations 
can be executed remotely, from any country. They can be completely anonymous, 
done in real time and automatically. There are extraordinary resources available to 
the data “miner.” Our own “red team” assessment last year of DOD information 
available on the Internet revealed some very sensitive material. We recently com- 
pleted a major examination of all the information the Department has on its web 
pages and have instituted stringent procedures to insure that classified or sensitive 
material, alone or in aggregate, is not inadvertently accessible. 

The Secretary has also instituted a policy to insure that every individual in the 
DOD with access to Top Secret or a specially controlled access category or compart- 
ment make an oral attestation that they will conform to the conditions and respon- 
sibilities imposed by that access. We are using this as a means to reinforce to DOD 
personnel the significance of the responsibilities associated with access to this infor- 
mation. 

We also recognize that our dependence on the information infrastructure extends 
to our other critical infrastructures as well. We have reorganized within OSD to 
bring information assurance and critical infrastructure protection together under a 
single Director. We have developed, and are now implementing, our Critical Infra- 
structure Protection plan. The Defense Department is serious about protecting its 
critical infrastructures. We have provided a comprehensive chapter to the national 
plan outlining how DOD will meet our defense mission (e.g. facilities, equipment), 
determining the critical assets, identifying their associated vulnerabilities, recogniz- 
ing interdependencies and taking measures to protect them. 

I would like to outline the two major concepts on how Critical Infrastructure Pro- 
tection (CIP) will be addressed within and outside DOD. 

To examine critical infrastructure (Cl) issues within DOD, we will have represent- 
atives (some full time, some part time) from each of the defense infrastructure sec- 
tors — financial; transportation; public works; Defense Information Infrastructure/ 
Command, Control, & Communications (DIPC3); Intelligence, Sensors, & Reconnais- 
sance (ISR); health affairs; personnel; emergency preparedness; space; and logis- 
tics — that will work together to discuss common infrastructure concerns. They will 
identify critical nodes and networks, nationally and internationally, that the DOD 
depends upon to execute successful military operations. They will assess the vulner- 
ability of such nodes and networks to physical and/or cyber attack and make rec- 
ommendations to enhance their security. The infrastructure providers — the private 
sector — are indispensable in our execution of military operations. This brings me to 
my second point — how we reach outside DOD. 

PDD 63 calls for a partnership with the private sector. Along with others in gov- 
ernment, we are exploring with industry the best concepts on how we share or 
“partner” information with the private sector. Private sector involvement is crucial 
throughout the continuum of the Defense infrastructure, but we are working with 
industry to determine government and private sector companies will exchange infor- 
mation (e.g. classified, business confidential) and the means to which it should be 
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shared, documented and updated routinely. At the DOD installation level, we are 
exploring information-sharing concepts on two fronts. First, we need to ensure that 
the government and private sector representatives (e.g. the installation commander 
and staff with the local railroad owner) — our first line defenders — jointly respond to 
the needs identified in the planning assessments. Second, these government and pri- 
vate sector representatives will need to work with state, local, and county govern- 
ments as to determining what their installations need in order to support their mis- 
sions. Our goal is the establishment of an information-sharing model that allows for 
a continuous and credible information flow from the installation level to senior lev- 
els in government to include the National Information Protection Center (NIPC). 

So where do we go from here? What is the way ahead? There is no simple or sin- 
gle solution. Our strategy is based on a multidimensional approach. We must have 
trained and disciplined personnel. We must improve our operations. And we must 
be innovative technologically. We have to recognize that information technology is 
vitally important to all the DOD critical infrastructures. And we must implement 
this strategy through a comprehensive, coherent, and integrated Defense-wide infra- 
structure and information assurance program. 

Some steps we are taking include: 

• Employing a defense in depth security model and changing our basic approach 
to network architecture. A major effort is underway to fundamentally restruc- 
ture the Defense Information Infrastructure into a Global Networked Informa- 
tion Enterprise (GNIE) — a new concept of how the Department will meet its in- 
formation needs. 

• Moving toward a robust, DOD Public Key Infrastructure (PKI) that can bring 
public key cryptography to bear to help provide the required range of assurance 
and data integrity services as well as permitting segregation of the networks 
into communities of interest. This will allow us to limit the extent of the dam- 
age an intruder can inflict. 

• Increasing our deployment of more sophisticated intrusion detection and mon- 
itoring technology. 

• Continuing to build strategic partnerships with industry to foster an open secu- 
rity framework and development of security enabled products. 

• Investing our R&D dollars in developing highly assured products and systems 
and for real-time monitoring, data collection, analysis and visualization. 

In addition, the JTF-CND is working toward full operational capability (FOG) 
and we are expanding our CINC, Service and Agency Computer Emergency Re- 
sponse Teams. We are instituting a real-time network monitoring and reporting 
structure. We have established positive control through our Information Assurance 
Vulnerability Alert or lAVA process. We are establishing a continuous vulnerability 
analysis and assessment program, and are increasing our red team assessment ca- 
pability. We have made significant improvements in our ability to perform long-term 
trend analysis, thereby identifying certain types of sophisticated attacks. 

We are increasing our efforts to promote information assurance training and 
awareness. We are looking closely at certification and retention issues for personnel 
performing key functions — the system administrators and system maintainers. And 
we are examining an expanded use of military reserves. 

Substantial progress has been made, but we must always think of it as a journey, 
not a destination. As new technology is created, new attacks will be developed, and 
new countermeasures must be adopted. There is a lot more that has to be done in 
virtually every area that I’ve mentioned today. But only by recognizing this chal- 
lenge, and facing it head on, can we realize the military potential afforded by 
achieving Information Superiority. 

Senator Kyl. I invite anyone else who would like to submit a 
statement for this record to do so. One of the best things, I think, 
we can do is to make the record here and then get that out to the 
public. 

I appreciate the work that you are doing with GAO. Keep it up. 
We will be calling upon you again. 

If there is not anything further, then this hearing will be ad- 
journed. 

[Whereupon, at 11:40 a.m., the subcommittee was adjourned.] 
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